pfSense: pfSense-SA-24_05.webgui: XSS vulnerability in diag_edit.php file browser in the WebGUI

A potential Cross-Site Scripting (XSS) vulnerability was identified in
the file browser on diag_edit.php.

The pfSense Plus and pfSense CE software GUI includes a file editor,
diag_edit.php. This file editor includes a browsing function which allows
administrators to navigate through files and directories on the firewall when
selecting a file to edit. This file browser did not encode directory names
before outputting them in the file/directory list or in the breadcrumb
navigation.

This problem is present on pfSense Plus version 24.03, pfSense CE version 2.7.2,
and earlier versions of both.

A user with sufficient access to create directories with arbitrary names could
break rendering of the page. Exploit potential is minimized by the fact that "/"
is not valid in directory names so tags cannot be closed.

Due to the lack of proper encoding on the affected directory names susceptible
to XSS, there is still a small potential that arbitrary JavaScript could be
executed in the user's browser. The user's session cookie or other information
from the session may be compromised.