-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-19_04.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2019-05-20 Credits: Dharmesh Baskaran -- https://www.linkedin.com/in/dharmeshbaskaran CVE ID: CVE-2020-19203 Affects: pfSense software versions <= 2.4.4-p2 Corrected: 2019-05-08 20:44:26 UTC (pfSense/master, pfSense 2.5.0) 2019-05-08 20:44:26 UTC (pfSense/RELENG_2_4_4, pfSense 2.4.4-pX) 0. Revision History v1.1 2021-05-21 Added CVE ID v1.0 2019-05-20 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Do not give firewall administrators access to pages or functions which allow writing arbitrary files to the firewall. * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to version 2.4.4-p3 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package to obtain the fix. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 5789a02eab9b2ebbcb1f28d1d037b408b436a853 pfSense/RELENG_2_4_4 5b5bb2483cd955084809e877d56e620fe433dd1d - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmCnsIsACgkQE7mH/ZIU +Nq9fQ//Qog4Il7y4bfFDJkC0l6EK7fPJONR/395yRh8NSbiaip2nj8iWoSGgPWj TaQqZhihNjyDJnO4Dd2EpJrR3vGbI3hkOMd6nyyPL8FaaKZATIWZzeGVsHU5A4Ty YMC1ZUJVi2FRQhk4KJ+DmnMFSx7UOwxTOOwj8Yt2ZBU2mhoJ5hUSlk1y84JPDhOa PgqG43YexSFtChl94ObHaiiZceKBLO7Y94oXz6qBQC0o8r8o2tMA+jeAmiGLZ/b1 57cXgizTApj2p1NpK0yK3va1T1EVh35Jdjh5pB1rXwJ4iH3pdRgMTWtTkTBxfbdm t/uU+O1oCfjph5Obz8WFq5WNXGH/Z+e97zsifOmmJLQiMuFUrTQdbpf0VjeLQru2 7XqJdjAQco95kpKFwvMZWb1pnxizG2ox71x/Viu12OIOTcmHpIeoaY5jy2QZlss6 bHIEos+45VWEII9yvzZZSyiYGPCf/aXrJWg6C6BGaO7srij7yko5KXhR/YX74muo NhvOH6Aqt/7qgrsefzfjDDnbPx1FQ0nX/vMlZA/1SXj4Xv4rgED0rbr6uZ/VNXhm xckp1ltg/aSpgMB+2WAibrtsHiBhiOECzaxaEzFw7Dg+ZossEVOS4bKZRnH+MT5k YCZFAVT7e357etgPppULEGcLZ1m3w161iDkLVnAa05CeoF+AQs4= =SLXB -----END PGP SIGNATURE-----