Bug #16744
closed
Potential XSS in Delegated Length value for Prefix Delegation on ``services_dhcpv6.php`` when using Kea
100%
Description
The page at services_dhcpv6.php does not perform sufficient validation on the user input value of Delegated Length (pddellen) when saving settings. This value is subsequently used in JavaScript without encoding if the DHCP backend is set to Kea, which is a potential XSS vector.
The pdprefixlen also lacks sufficient validation, but it does not appear to be vulnerable.
Creating an entry with a value such this example reproduces the problem condition:
{
"if": "lan",
"pdprefix": "2001:db8:12:34::",
"pdprefixlen": "64",
"pddellen": '64" || alert(\"XSS\") || \"'
"denyunknown": "disabled",
"save": "Save",
}
Simple POC attached.
Files
Updated by Jim Pingle 22 days ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:abe85e63b3b8427eaf8f8f672ae1f3b638763fb2.
Updated by Jim Pingle 22 days ago
- Subject changed from Potential XSS in Delegated Length value for Prefix Delegation on ``services_dhcpv6.php`` to Potential XSS in Delegated Length value for Prefix Delegation on ``services_dhcpv6.php`` when using Kea
- Description updated (diff)
Note that this requires using Kea as the DHCP server backend (subject and description updated to reflect that)
Updated by Georgiy Tyutyunnik 21 days ago
- Status changed from Feedback to Resolved
tested on:
25.11.1-RELEASE (amd64)
built on Mon Jan 19 17:25:00 UTC 2026
FreeBSD 16.0-CURRENT
patch fixes the issue
after application the provided script results in input validation error
Updated by Jim Pingle 21 days ago
- Plus Target Version changed from 26.07 to 26.03