pfSense: pfSense-SA-21_02.captiveportal: XSS vulnerability in the WebGUI

Description

A Cross-Site Scripting (XSS) vulnerability was found in Captive Portal, a component of pfSense CE and pfSense Plus software, on pfSense CE version 2.5.1, pfSense Plus version 21.02.2, and earlier versions of both. The Captive Portal page presented to clients at login did not validate the contents of the redirurl field, nor did it encode the output when passed an arbitrary value, leading to a possible XSS. If a logged-in captive portal user visits a manually crafted URL for the Captive Portal login page which contains a malicious value for redirurl, and then follows the resulting link, it could lead to arbitrary JavaScript code being executed in their browser. This is possible due to the lack of proper encoding on the affected parameters susceptible to XSS. The user's session cookie or other information from the session may be compromised. Note that has no effect on the security of the firewall or Captive Portal system itself as this only applies to Captive Portal user sessions and the client web browser. The Captive Portal login session itself is restricted by IP address and, by default, also by MAC address. Thus the user's Captive Portal login session could not be compromised via JavaScript, but there may be other client and/or browser-specific concerns.