Bug #15927: Potential XSS in AutoConfigBackup backup list on ``services_acb.php`` - pfSense - pfSense bugtracker

Actions

Copy link

Bug #15927

closed

Potential XSS in AutoConfigBackup backup list on ``services_acb.php``

Added by Jim Pingle 5 months ago. Updated 4 days ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

Auto Configuration Backup

Target version:

2.8.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

25.03

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

The page at ``services_acb.php`` displays the "reason" string when listing backup entries from the server without encoding, which is a potential XSS vector.

The reason string for a backup entry is encoding when stored, but this encoding happens client-side so it may not always happen as expected. The page should escape the string before display to avoid any potential problems.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #15927

Potential XSS in AutoConfigBackup backup list on ``services_acb.php``

Updated by Jim Pingle 5 months ago

Updated by Christopher Cope 5 months ago

Updated by Jim Pingle 5 months ago

Updated by Jim Pingle 2 months ago

Updated by Jim Pingle 4 days ago