-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-25_07.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Stored XSS in Wake on LAN pages and Dashboard widget

Category:       pfSense Base System
Module:         webgui
Announced:      2025-05-16
Credits:        Pablo Sanchez and Blanca Valencia of CovertSwarm Limited
                https://www.covertswarm.com/
Affects:        pfSense Plus software versions < 25.07
                pfSense CE software versions < 2.8.0
Corrected:      2025-04-01 15:22:07 UTC (pfSense Plus master, 25.11)
                2025-04-01 16:03:54 UTC (pfSense Plus plus-RELENG_25_07, 25.07)
                2025-04-01 15:22:07 UTC (pfSense CE master, 2.9.0)
                2025-04-01 16:03:39 UTC (pfSense CE RELENG_2_8_0, 2.8.0)

0.   Revision History

v1.1  2025-07-02 Updated pfSense Plus software version numbers
v1.0  2025-05-16 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential stored Cross-Site Scripting (XSS) vulnerability was identified in
Wake on LAN pages and the Wake on LAN Dashboard widget.

The page at services_wol_edit.php does not perform sufficient validation on
interface values submitted by users when creating or editing Wake on LAN
entries. The services_wol.php page and the Wake on LAN Dashboard widget
at wake_on_lan.widget.php display these stored interface values to the user
without encoding, which is a potential XSS vector.

This problem is present on pfSense Plus version 24.11, pfSense CE version 2.7.2,
and earlier versions of both.

III. Impact

Due to the lack of encoding on the interface content, the Wake on LAN list on
services_wol.php page and the Wake on LAN Dashboard widget at
wake_on_lan.widget.php are susceptible to XSS. Arbitrary JavaScript could be
executed in the user's browser. The user's session cookie or other information
from the session may be compromised.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Do not grant users write access to the configuration unnecessarily.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 25.07 or later, or pfSense CE
software versions after 2.8.0 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 24.11 and pfSense CE version 2.7.2 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   6a92af14584d22f077e1421e952674f880cd5b6c
plus/plus-RELENG_25_07             50d720be2a66fdf0278140f03728fb136129b7a5
pfSense/master                     6a92af14584d22f077e1421e952674f880cd5b6c
pfSense/RELENG_2_8_0               9d1bb442924f1fe3027415dd75da2394d2ef3083
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/16116>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-25_07.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmhleAkACgkQE7mH/ZIU
+NogcBAApVJZLU7ibFvlAOcf0g0dk2jNZ0aiL8NSrWPQzt+TtPSmBkXucv27ZHj1
pbJkiDXQne3sNWWZCMFA5Npu/SnE0xE+AIPI+Pz+cxxZELIONGrB/Tertwu0eN82
Q+bRGWKC3z0PDsXcTYBaie0VDu/iqs+1A5InmA8ql2J62j2jdA6UDIgJkhTCr+6B
1Gvs/bn37PV4IhXOXm2QSRRzBDDnZM7hpPsv4lxUMu+hxKNiAJ84uv3gCrDoUNYh
2+zxufRQDqORHDlyJtlO2J2YAguwd7ZtOk3HzKMbOkUTCC23Gv/wSG5igLfYXzyZ
4cMCKyjXnChoz1gVArZroqiWwAbbiaBWRqwfNrWdyA3ajtN5I1Fh/x4B7CYyUMvU
swOotyvOzgWsIxyGFi4pzmgge11uXPNNGKxyVj0bcS6GVMsU5HYRLmqByfpLJH2d
siQCxv0ugM5s+CLDP6PRYBolk/lZ2DB7Vtt7bra+3x7YCgBiioDflQIRpusHGQxQ
q47veNRx0hD7HKLr/sS6tpU2UNYCWwQmw7nr2HX2eqRD510goA0O1vrE0JjLL8Te
Ycs+TtJzXsUS3spMDbwyCsIxmS6aSQYTIupMwjyzPNfd47VCBLS2pRnZmH+NYW/9
jQDn0njZnBGiQWsq/DRe+epvUpHugpF+FDgs+Lzkd9Oda16dhco=
=bVJW
-----END PGP SIGNATURE-----