pfSense: pfSense-SA-17_05.webgui: Multiple XSS vulnerabilities in the WebGUI

Description

Cross-Site Scripting (XSS) vulnerabilities were found in three pages of the pfSense software WebGUI on version 2.3.4 and earlier. * On vendor/filebrowser/browser.php, which is part of the "Browse" function on diag_edit.php, the "filename" parameter can be used to trigger an XSS if a file exists with a specially-crafted name. In order to exploit this, a user must be able to write files with arbitrary names to the firewall and then coerce an administrator with GUI access to load that same file in diag_edit.php through the file browser. * On firewall_nat_edit.php, the "interface" parameter was not validated on save, so a specially-crafted submission could store an interface with a name that could trigger an XSS through the dst_change() JavaScript function on the page. * On diag_tables.php, the "type" parameter which contains the table name to display was not being validated against a list of current tables. The unvalidated parameter was submitted back via AJAX to load the invalid table, and was presented to the user unencoded. Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised.