Bug #13060: Potential XSS from URL and URL Table alias URLs - pfSense - pfSense bugtracker

Actions

Copy link

Bug #13060

closed

Potential XSS from URL and URL Table alias URLs

Added by Jim Pingle over 2 years ago. Updated almost 2 years ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

Aliases / Tables

Target version:

2.7.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

22.05

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

The URL from a URL or URL Table type alias is not sanitized before display on firewall_alias.php, which can potentially lead to a stored XSS when viewing the list of aliases on the URL or All tabs.

The URL from a URL table alias is also not sanitized when included in the alias popup on various firewall and NAT rule pages, but that mechanism has its own safety measures which prevent it from being a concern there. Even so, it's best to encode it in the popup.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #13060

Potential XSS from URL and URL Table alias URLs

Updated by Jim Pingle over 2 years ago

Updated by Jim Pingle over 2 years ago

Updated by Jim Pingle almost 2 years ago