Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-19203: Releases — 2.4.4-p3 New Features and Changes

An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.

CVE
#sql#xss#vulnerability#web#php#perl#acer#auth#ssh#ssl

The pfSense Documentation

pfSense® software version 2.4.4-p3 addresses security and other issues found in 2.4.4-p2.

Warning

The upcoming pfSense release version 2.5.0 deprecates the built-in load balancer, and all related code has been removed as it is not compatible with FreeBSD 12. Plan migrations to alternate solutions such as the HAProxy package now.

See the 2.5.0 release notes for more information.

Security / Errata¶

  • Changed sshguard to block both ssh and the GUI using a single table, and removed the unnecessary manual scheduled table expiration pfSense-SA-19_02.sshguard #9223

  • Fixed potential XSS vectors

    • pfSense-SA-19_01.webgui : Fixed potential XSS vectors in system_advanced_admin.php, interfaces_assign.php, firewall_rules_edit.php, firewall_shaper.php, services_igmpproxy_edit.php, services_ntpd_gps.php and diag_traceroute.php #9294

    • pfSense-SA-19_03.webgui : Fixed potential XSS vector in status_filter_reload.php #9499

    • pfSense-SA-19_04.webgui : Fixed potential XSS vector in the WOL widget #9507

    • pfSense-SA-19_05.webgui : Fixed potential XSS vector in services_acb.php #9508

  • Fixed privilege issues

    • pfSense-SA-19_06.webgui : Restrict edit access to OpenVPN-related advanced settings, and added new privilege to delegate edit permissions #9511

    • pfSense-SA-19_07.webgui : Strengthen widget privilege matching to avoid a potential privilege bypass for users granted access to widgets #9512

    • pfSense-SA-19_08.webgui : Strengthen path privilege check to avoid a potential directory-traversal-like bypass method #9513

    • Added privileges for Auto Config Backup pages #9519

    • Updated privileges: Added misc missing pages, removed obsolete pages

  • Addressed FreeBSD Security Advisories:

    • FreeBSD-SA-19:03.wpa

    • FreeBSD-SA-19:04.ntp

    • FreeBSD-SA-19:05.pf

    • FreeBSD-SA-19:06.pf

    • FreeBSD-SA-19:07.mds

    • FreeBSD-EN-19:08.tzdata

  • Added DNS over TLS host verification #8602

    • Configure hostnames for DNS over TLS servers under System > General
  • sqlite updates #9205

Backup / Restore¶

  • Fixed issues with output buffering causing configuration backup download failures #9390

  • Fixed automatic package reinstallation after restoring config.xml from the installer #9214

  • Force <enableserial> when restoring a backup on a device with serial only console

Certificates¶

  • Added missing countries from CA list on certificate pages #9308

  • Fixed an error when adding a new user and choosing to generate a certificate #9317

DNS¶

  • Fixed input validation on diag_dns.php to allow a trailing dot on hostnames #9276

  • Removed non-functional tools links from diag_dns.php #9275

  • Fixed rewriting of the DNS Resolver file remotecontrol.conf if it is present but empty #9470

Firewall Rules / NAT / Aliases¶

  • Fixed intermittent pf errors when NAT reflection is enabled #9446

  • Fixed reserved pf keyword matching when creating and editing aliases #9231

  • Fixed duplicate entries showing on diag_tables.php from lockout tables #9359

  • Fixed a PHP error deleting an imported NAT rule with no firewall rules present #9193

  • Do not show scheduler icon when scheduler tag is empty

Gateways / Routing¶

  • Fixed issues with the default IPv4 gateway set to a group failing after restart #9004

Interfaces¶

  • Fixed PHP error from interface groups when editing QinQ entries

IPsec¶

  • Fixed IPsec Phase 1 entries on upgrade to have their protocol field populated properly #9207

Operating System¶

  • Fixed support for ZFS encrypted+mirrored swap #9281

  • Fixed problems saving crash dumps when /var is a RAM disk #9409

Traffic Shaping¶

  • Fixed a PHP error when loading a limiter that does not exist #9313

  • Fixed limiter selection validation

  • Fixed Queues menu items ending with “:” in certain languages #8970

WebGUI¶

  • Numerous optimizations and improvements for status.php diagnostics output #9290

  • Fixed a PHP error on system_advanced_network.php when disabling “IPv6 over IPv4 Tunneling” #9264

  • Improved handling of large captures on diag_packet_capture.php and disabled viewing of captures larger than 50MiB. #9239

  • Added hostname to login page title if the user has enabled Show hostname on login banner #9096

  • Centralized the list of country codes used by multiple areas #9308

  • Updated translation files

XMLRPC¶

  • Clarified conditions for synchronizing certificates in HA Sync options #9283

Additional Resources v: latest

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907