Headline
CVE-2022-42247: Encode path+fn in browser.php. Fixes #13262 · pfsense/pfsense@73ca674
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
@@ -148,7 +148,7 @@ function get_content($dir) {
?>
<tr>
<td></td>
<td class="fbFile vexpl text-left" id="<?=$fqpn;?>">
<td class="fbFile vexpl text-left" id="<?=htmlspecialchars($fqpn);?>">
<?php $filename = htmlspecialchars(addslashes(str_replace("//","/", “{$path}/{$file}”))); ?>
<div onClick="$(‘#fbTarget’).val(‘<?=$filename?>’); loadFile(); $(‘#fbBrowser’).fadeOut();">
<img src="/vendor/filebrowser/images/file_<?=$type;?>.gif" alt="" title="">