Project

General

Profile

Actions
Copy link

Bug #16258

closed

Potential XSS in OpenVPN Widget

Added by Jim Pingle 3 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
High
Assignee:
Jim Pingle
Category:
Dashboard
Target version:
2.8.1
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.07
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The OpenVPN widget prints the name of OpenVPN clients and shared key servers without encoding, leading to a potential XSS.

To reproduce, set the name of an OpenVPN client instance or shared key server instance to Blah<script>alert('XSS')</script> and then add the OpenVPN widget to the Dashboard.

Actions
Copy link
 #1

Updated by Jim Pingle 3 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Georgiy Tyutyunnik 3 months ago

  • Status changed from Feedback to Resolved

patch fixes the issue
tested on
25.07-DEVELOPMENT (amd64)
built on Tue Jun 10 6:00:00 UTC 2025
FreeBSD 15.0-CURRENT

Actions
Copy link
 #4

Updated by Jim Pingle 2 months ago

  • Plus Target Version changed from 25.03 to 25.07
Actions
Copy link
 #5

Updated by Jim Pingle 2 months ago

  • Target version changed from 2.9.0 to 2.8.1
Actions
Copy link
 #6

Updated by Jim Pingle about 1 month ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF