Bug #16773: Potential XSS in Captive Portal widget - pfSense - pfSense bugtracker

Actions

Copy link

Bug #16773

closed

Potential XSS in Captive Portal widget

Added by Jim Pingle 28 days ago. Updated about 23 hours ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

Captive Portal

Target version:

2.9.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

26.07

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

If a captive portal zone is configured for an authentication method of "None", the user can still submit a username in the POST parameter auth_user. As the portal lacks authentication, this username is not relevant or validated as it would be with other methods. The Captive Portal widget (captive_portal_status.widget.php) displays this username without encoding. The status page is unaffected.

Small POC attached.

Files

Download all files

poc-xss-cp-widget.py (856 Bytes) poc-xss-cp-widget.py		Jim Pingle, 04/02/2026 07:15 PM
16773.patch (5.42 KB) 16773.patch		Jim Pingle, 04/07/2026 06:26 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #16773

Potential XSS in Captive Portal widget

Updated by Jim Pingle 23 days ago

Updated by Jim Pingle about 23 hours ago