-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-25_05.webgui Security Advisory pfSense Topic: Stored XSS in Firewall Schedules Category: pfSense Base System Module: webgui Announced: 2025-05-16 Credits: Pablo Sanchez and Blanca Valencia of CovertSwarm Limited https://www.covertswarm.com/ Affects: pfSense Plus software versions < 25.03 pfSense CE software versions < 2.8.0 Corrected: 2025-04-01 12:20:43 UTC (pfSense Plus master, 25.07) 2025-04-01 16:03:54 UTC (pfSense Plus plus-RELENG_25_03, 25.03) 2025-04-01 12:20:43 UTC (pfSense CE master, 2.9.0) 2025-04-01 16:03:39 UTC (pfSense CE RELENG_2_8_0, 2.8.0) 0. Revision History v1.0 2025-05-16 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential stored Cross-Site Scripting (XSS) vulnerability was identified in Firewall Schedules. The page at firewall_schedule_edit.php does not perform sufficient validation on schedule values submitted by users when creating or editing schedules. The firewall_schedule.php page displays parts of those stored schedule values to the user without encoding, which is a potential XSS vector. This problem is present on pfSense Plus version 24.11, pfSense CE version 2.7.2, and earlier versions of both. III. Impact Due to the lack of encoding on the schedule content, the schedule list on firewall_schedule.php is susceptible to XSS. Arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not grant users write access to the configuration unnecessarily. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 25.03 or later, or pfSense CE software versions after 2.8.0 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 24.11 and pfSense CE version 2.7.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master dfc70e51d556d8c1724bfc7f1fd5fe4b73faab3b plus/plus-RELENG_25_03 41d8e40f6660c696af8ec1b8ac21200a99877900 pfSense/master dfc70e51d556d8c1724bfc7f1fd5fe4b73faab3b pfSense/RELENG_2_8_0 9e57069dd802963ec010fd0adad2ba8278100ddf - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmgnYzUACgkQE7mH/ZIU +NqFuRAAz/cqyI6Ca1f4JWX2PiRf0aPadsWKHNR/+DAygOkWKhQGV7hOGjIT8PBv RCPbWGfXmfyjdrEM4gDtrzDCJidd5/SKgzZW+9wa767O8TsrpM8+cZriSy18Ynyk C0OlgO3E7HTxcdeuJAbZMhBk7jZBTDhycNpzDWjrqMixxQUwFwgoCQ9Per0deD96 wbnTsuhzDa2rS20gr8KLoxk+HjZU16w2VOjEvRvz2QHD7BnvzI8/vqtjMDzIl86x xeyPjC2eFzLic1NhNi2OKvLTPv3/mSJ6DKOPJQYrJVQyLTJl9q1lgFuiJ2oyXXEW 6N2Y299f0Q96Ij8juukY/pXxmJlXmKdEb4+lxGdgOmz8gVja48Zm/z6Pm8EbBYeg itfOeM6uSXTAnVkHoOd3F/KxRAruSMh0elNO/td5UB0PaIFP585Q2kEfvgFcvE6/ XvzIcn/9nLN9GOdLNg72FuUw418BGjnsDV6zGlAEC+8OLDUhCfKjgJidW9J+uATK UZec8uYyfvE70tNAs1pfTDBJiCWlCMz6MM1YoB4q2XLPL6aV0xRbqdJZG6JaLqUt +4rgPbX6dpMllBQ4MUKfzsTvLK1TmV+to3ZSMf01zMu3nRM7XTxCtd0k3EVW+Vd7 VcfJi954i/B2GPB6L/15yjcydMoVpECv+xdIFEnZ2g/Qf/ErkvQ= =Uou3 -----END PGP SIGNATURE-----