Project

General

Profile

Actions
Copy link

Bug #16773

closed

Potential XSS in Captive Portal widget

Added by Jim Pingle about 2 months ago. Updated 13 days ago.

Status:
Resolved
Priority:
High
Assignee:
Jim Pingle
Category:
Captive Portal
Target version:
2.9.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
26.03.1
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

If a captive portal zone is configured for an authentication method of "None", the user can still submit a username in the POST parameter auth_user. As the portal lacks authentication, this username is not relevant or validated as it would be with other methods. The Captive Portal widget (captive_portal_status.widget.php) displays this username without encoding. The status page is unaffected.

Small POC attached.

Files

Download all files
poc-xss-cp-widget.py (856 Bytes) poc-xss-cp-widget.py Jim Pingle, 04/02/2026 07:15 PM
16773.patch (5.42 KB) 16773.patch Jim Pingle, 04/07/2026 06:26 PM
Actions
Copy link
 #2

Updated by Jim Pingle about 2 months ago

Fixed by commit 1519891f7636e8e2f7d13d051dc53a6c30366668

Before testing it's also worth applying f01ba7e19574b08a442df00aff934496b2f9976b.

Combined diff attached

Actions
Copy link
 #3

Updated by Jim Pingle 26 days ago

  • Status changed from Feedback to Resolved
  • Private changed from Yes to No

Patch is available in the System Patches package in the Recommended Patches section. Update the package manually if it is already installed.

Actions
Copy link
 #4

Updated by Jim Pingle 13 days ago

  • Plus Target Version changed from 26.07 to 26.03.1
Actions
Copy link

Also available in: Atom PDF