Headline
CVE-2023-39000: System:Logging - Sanitize user input. An alfanum filter might be poss… · opnsense/core@d1f350c
A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense before 23.7 allows attackers to inject arbitrary JavaScript via the URL path.
Expand Up
@@ -38,8 +38,8 @@ class LogController extends IndexController
public function renderPage($module, $scope)
{
$this->view->pick(‘OPNsense/Diagnostics/log’);
$this->view->module = $module;
$this->view->scope = $scope;
$this->view->module = htmlspecialchars($module, ENT_QUOTES | ENT_HTML401);
$this->view->scope = htmlspecialchars($scope, ENT_QUOTES | ENT_HTML401);
$this->view->service = '’;
$this->view->default_log_severity = 'Warning’;
Expand Down