vulnerability
pfSense: pfSense-SA-23_08.webgui: XSS vulnerability in the WebGUI
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | Oct 31, 2023 | Nov 7, 2023 | Feb 18, 2025 |
Description
A potential Cross-Site Scripting (XSS) vulnerability was found in
getserviceproviders.php, a component of the pfSense Plus and pfSense CE software
GUI.
The page does not always validate or sanitize the value of the "connection"
variable from user input, which then may be displayed without encoding.
This problem is present on pfSense Plus version 23.05.1, pfSense CE version
2.7.0, and earlier versions of both.
Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.
The user must be logged in and have sufficient privileges to access
getserviceproviders.php. The affected case requires a provider to only have one
plan.
Solution
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.