-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-25_08.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Stored XSS in OpenVPN Dashboard widget

Category:       pfSense Base System
Module:         webgui
Announced:      2025-08-04
Credits:        chuongcd
Affects:        pfSense Plus software versions < 25.07
                pfSense CE software versions < 2.8.1
Corrected:      2025-06-11 18:59:39 UTC (pfSense Plus master, 25.11)
                2025-06-12 16:15:33 UTC (pfSense Plus plus-RELENG_25_07, 25.07)
                2025-06-11 18:59:39 UTC (pfSense CE master, 2.9.0)
                2025-07-15 18:35:14 UTC (pfSense CE RELENG_2_8_1, 2.8.1)

0.   Revision History

v1.0  2025-08-04 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential stored Cross-Site Scripting (XSS) vulnerability was identified in
the OpenVPN Dashboard widget.

The OpenVPN widget displays the name of OpenVPN clients and shared key servers
to the user without encoding, which is a potential XSS vector.

This problem is present on pfSense Plus version 24.11, pfSense CE version 2.8.0,
and earlier versions of both.

III. Impact

Due to the lack of encoding on the interface content, the OpenVPN Dashboard
widget at openvpn.widget.php is susceptible to XSS. Arbitrary JavaScript could
be executed in the user's browser. The user's session cookie or other
information from the session may be compromised.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Do not grant users write access to the configuration unnecessarily.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 25.07 or later, or pfSense CE
software versions after 2.8.1 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 24.11 and pfSense CE version 2.8.0 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   80a490e4d8f2c5973e63e2f54e92500a5bc29799
plus/plus-RELENG_25_07             216731090d8c24380c842d2ed20805ce2b83e438
pfSense/master                     80a490e4d8f2c5973e63e2f54e92500a5bc29799
pfSense/RELENG_2_8_1               3c98a89e56873ae4e98cfd23ac6a53dcc7083a75
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/16258>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-25_08.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmiKQIoACgkQE7mH/ZIU
+Np8GBAAx3BsWgfNCm95Jw3PEmgsJjLwFD9YqWm8BmFyU2hGDktJczK3t33e+au5
XbCer6SZKFiQ/q8S0436X3DAi0hGQgo2/vvSuwiGwnVszJUOo3B3quPu1xcPVT52
pSqKA9OHndb9iDTJRlj0BJZ7I6tNAVsmRmBQj5h1uR6oBN2H/Ix0UXXsj1uRU6FQ
uvvRkd5eLhsACkoTdKy2jhTzLDA6B5NwHrrsNv2e00g0ZHcVx/Akjcog8Ac9qRBJ
go0VYkwt9Un8dklqZggiOTcdJaxcIW80NiGgUMtQTUnZVMoF5yGttiAW7wSvbe5q
GoPT9D/r0yZ3vrMXpEs8JqXvAbLMR0Mur3Z/DmX4vO624iCVq/GvXJ9kxc2TrVKA
6E74OQeC21MVHSdrabCmOJn5CrgKiHX6q3VuK3KmcZ1amVRdZPF5PSNvzzQ1t8tR
IGqHlFS7g4q77MZe2WsuLmXbr4gHEOO95cf2ltKDUIaljdM0ym0RoOOE7I4agtn/
YfbE3t2cHiY1bfusGRLppySxnTAcO8G8BqbosrZ4UnbyxCOemGu67c3ycpf1lhtN
I21Ae2CGIhbfbUMtwRtxq3y8nw6B59Qq0d+Jeij6Gh6VEYybKiIsHU9ct2n5jnp2
f/4t539jgwuNuRVH0nMJY3U+9aNUO6r67BYmasfdB7Ne5Cr5Z00=
=L3Lq
-----END PGP SIGNATURE-----