Bug #16744: Potential XSS in Delegated Length value for Prefix Delegation on ``services_dhcpv6.php`` when using Kea - pfSense - pfSense bugtracker

Actions

Copy link

Bug #16744

closed

Potential XSS in Delegated Length value for Prefix Delegation on ``services_dhcpv6.php`` when using Kea

Added by Jim Pingle 23 days ago. Updated 2 days ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

DHCP (IPv6)

Target version:

2.9.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

26.03

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

The page at services_dhcpv6.php does not perform sufficient validation on the user input value of Delegated Length (pddellen) when saving settings. This value is subsequently used in JavaScript without encoding if the DHCP backend is set to Kea, which is a potential XSS vector.

The pdprefixlen also lacks sufficient validation, but it does not appear to be vulnerable.

Creating an entry with a value such this example reproduces the problem condition:

{
    "if": "lan",
    "pdprefix": "2001:db8:12:34::",
    "pdprefixlen": "64",
    "pddellen": '64" || alert(\"XSS\") || \"'
    "denyunknown": "disabled",
    "save": "Save",
}

Simple POC attached.

Files

poc-xss-kea-pddellen.py (1.46 KB) poc-xss-kea-pddellen.py

Jim Pingle, 03/11/2026 07:25 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #16744

Potential XSS in Delegated Length value for Prefix Delegation on ``services_dhcpv6.php`` when using Kea

Updated by Jim Pingle 22 days ago

Updated by Jim Pingle 22 days ago

Updated by Georgiy Tyutyunnik 21 days ago

Updated by Jim Pingle 21 days ago

Updated by Jim Pingle 2 days ago