vulnerability
pfSense: pfSense-SA-25_06.webgui: Stored XSS in IPsec Phase 1
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:M/Au:S/C:P/I:P/A:N) | May 16, 2025 | Feb 13, 2026 | Feb 16, 2026 |
Description
A potential stored Cross-Site Scripting (XSS) vulnerability was identified in
IPsec Phase 1 entries.
The page at vpn_ipsec_phase1.php does not perform sufficient validation on
interface values submitted by users when creating or editing IPsec Phase 1
entries. The vpn_ipsec.php page displays these stored interface values to the
user without encoding, which is a potential XSS vector.
This problem is present on pfSense Plus version 24.11, pfSense CE version 2.7.2,
and earlier versions of both.
Due to the lack of encoding on the interface content, the IPsec Phase 1 list on
vpn_ipsec.php is susceptible to XSS. Arbitrary JavaScript could be executed in
the user's browser. The user's session cookie or other information from the
session may be compromised.
Solution
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.