CVE-2023-42325

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23_09.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42325 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 18:51:06 UTC (pfSense Plus master, 23.09) 2023-07-05 18:51:06 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in status_logs_filter_dynamic.php, a component of the pfSense Plus and pfSense CE software GUI. The page does not always validate or sanitize the value of the “interface” variable from user input when using RAW mode (“filtersubmit=1”), which then may be printed without encoding inside a block of JavaScript code. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user’s browser. The user’s session cookie or other information from the session may be compromised. The user must be logged in and have sufficient privileges to access status_logs_filter_dynamic.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master f387c974a9a597bf01ab86ec049cca186a1e050c pfSense/master f387c974a9a597bf01ab86ec049cca186a1e050c - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRcACgkQE7mH/ZIU +NotvRAAobKxH11HjFKUNdAUA6rqv9BcRqgYWNVTVQSDM/Wmf4lw2mAvldMaaSOc KodEYJ6LWf1kZGu7VN36q59l7gn9/H42PeBNU7cNDJZaNXZd3LUG2bqRn4f8AuJA jUvPzE3w7DHcxrgHIn/3S8WI5WSVDgemzL4d6HlbzJtJ1mdF1viWkJZY6EqKRPgR Mw1adsPZyiAf7AalNRA7IJjPYTyUMxC2YSiMz2goeWd+6Zfkul9sbciTXCQwFAXO ZelZZm+arYtutXpeCJPmX3SvVcaT+f87anql20Xlijkuexr8aoMuSHOX8MYWMapY ndoNZZusoq2pUSK4VAPnhBIqtD6M7izC+bcWUBRea3h3/IiXjhPDtUtr4ONZQ3fQ HGf8ZEHd2EswpNhYbKz5cdMm37Q3JhRzVYMXFvNjsjOliF0ZyEibnO5L7W51Jujk yRu5fIli6UlfhcLD2iTOdnDnxSzxl4QiBAD0/XMVl3OQoy1R4AoFS9VtGi+EteB9 SykmgjmgIBjxSQvEyt30olt9XbVvDbi1EQDmJz6hd14P1Sy03BMn1BZoU5heN9Xc t3gdQMS01rB+EqGenXDnKvIKQ3LAb1AqNvYzn1BSrMno6YGCgSVEKw6vPEbEoI7r AX6MEZeetdwzHIEws9UEp8XYt6Q1hSmnNCJU8pfpAsuaum3SGo0= =W5mP -----END PGP SIGNATURE-----