A potential stored Cross-Site Scripting (XSS) vulnerability was found in services_acb_settings.php, a component of the Auto Config Backup feature in the pfSense Plus and pfSense CE software GUI. The page does not validate or sanitize the value of the "frequency" parameter, which is stored in config.xml and may be printed without encoding inside a block of JavaScript code. This problem is present on pfSense Plus version 23.09.1, pfSense CE version 2.7.2, and earlier versions of both. Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. Because the value is stored, the attacker could also trick another administrator into visiting the compromised page. The target user's session cookie or other information from the session may be compromised. The user must be logged in, have sufficient privileges to access services_acb_settings.php, and have privileges to make changes to the configuration. Users with access to Auto Config Backup and its settings effectively have full administrator access, making this a moot point in nearly all cases. However, it is theoretically possible that a user might only be granted access to the settings tab and not the tabs which manage configuration files.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center