Bug #16258: Potential XSS in OpenVPN Widget - pfSense - pfSense bugtracker

Actions

Copy link

Bug #16258

closed

Potential XSS in OpenVPN Widget

Added by Jim Pingle 3 months ago. Updated about 1 month ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

Dashboard

Target version:

2.8.1

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

25.07

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

The OpenVPN widget prints the name of OpenVPN clients and shared key servers without encoding, leading to a potential XSS.

To reproduce, set the name of an OpenVPN client instance or shared key server instance to Blah<script>alert('XSS')</script> and then add the OpenVPN widget to the Dashboard.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #16258

Potential XSS in OpenVPN Widget

Updated by Jim Pingle 3 months ago

Updated by Georgiy Tyutyunnik 3 months ago

Updated by Jim Pingle 2 months ago

Updated by Jim Pingle 2 months ago

Updated by Jim Pingle about 1 month ago