Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-21_02.captiveportal: XSS vulnerability in the WebGUI

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

pfSense: pfSense-SA-21_02.captiveportal: XSS vulnerability in the WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
04/22/2021
Created
06/03/2021
Added
06/03/2021
Modified
11/22/2024

Description

A Cross-Site Scripting (XSS) vulnerability was found in Captive Portal, a component of pfSense CE and pfSense Plus software, on pfSense CE version 2.5.1, pfSense Plus version 21.02.2, and earlier versions of both. The Captive Portal page presented to clients at login did not validate the contents of the redirurl field, nor did it encode the output when passed an arbitrary value, leading to a possible XSS. If a logged-in captive portal user visits a manually crafted URL for the Captive Portal login page which contains a malicious value for redirurl, and then follows the resulting link, it could lead to arbitrary JavaScript code being executed in their browser. This is possible due to the lack of proper encoding on the affected parameters susceptible to XSS. The user's session cookie or other information from the session may be compromised. Note that has no effect on the security of the firewall or Captive Portal system itself as this only applies to Captive Portal user sessions and the client web browser. The Captive Portal login session itself is restricted by IP address and, by default, also by MAC address. Thus the user's Captive Portal login session could not be compromised via JavaScript, but there may be other client and/or browser-specific concerns.

Solution(s)

  • pfsense-upgrade-latest

insightVM

Advanced vulnerability management analytics and reporting.
Key Features
  • Lightweight Endpoint Agent
  • Live Dashboards
  • Real Risk Prioritization
  • IT-Integrated Remediation Projects
  • Cloud, Virtual, and Container Assessment
  • Integrated Threat Feeds
  • Easy-to-Use RESTful API
  • Automation-Assisted Patching
  • Automated Containment
Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;