Bug #16770: Potential XSS in RSS Widget feed content post titles - pfSense - pfSense bugtracker

Actions

Copy link

Bug #16770

closed

Potential XSS in RSS Widget feed content post titles

Added by Jim Pingle 3 days ago. Updated 2 days ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

Dashboard

Target version:

2.9.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

26.07

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

The RSS widget library does not encode post titles before display as it does with other content. As a consequence, if a feed configured in the RSS widget supplies content with a malicious payload in a post title, it could be delivered to the user's browser and executed.

A sample feed is attached.

Files

badfeed.xml (523 Bytes) badfeed.xml

Jim Pingle, 03/31/2026 07:16 PM

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #16770

Potential XSS in RSS Widget feed content post titles

Updated by Jim Pingle 3 days ago

Updated by Jim Pingle 3 days ago

Updated by Jim Pingle 2 days ago

Updated by Jim Pingle 2 days ago