pfSense

When accessing the dynamic firewall log view via status_logs_filter_dynamic.php in RAW mode (filtersubmit=1) the value supplied by the user in the interface parameter is used later internally through the interfacefilter parameter to fetch new updates via AJAX. When rendering the page this value is placed directly in the page without encoding inside a block of JavaScript.

Since the page also allows submitting these parameters via GET, a user could potentially be vulnerable to XSS if they visit a specially crafted link.

The user must be logged in and have sufficient privileges to access status_logs_filter_dynamic.php.

Example link which will produce a JS alert when visited:

https://192.168.1.1/status_logs_filter_dynamic.php?interface=foo%22;alert(document.domain)%20//%20&filtersubmit=1