Bug #9554
Stored XSS in ACME Package (version 0.5.7_1) /acme/acme_accountkeys_edit.php
Start date:
05/25/2019
Due date:
% Done:
100%
Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:
amd64
Description
Stored XSS vulnerability occurs due to input validation errors in "Name" and "Description" fields when adding new account key.
Remediation:
- HTML Escape on those parameters would probably fix the issue.
Proof of Concept:
- See attached picture
History
#1
Updated by Jim Pingle over 1 year ago
- Project changed from pfSense to pfSense Packages
- Category set to ACME
- Assignee set to Jim Pingle
In the future, do not report security issues via Redmine. See https://www.netgate.com/security/
#2
Updated by Jim Pingle over 1 year ago
- Private changed from No to Yes
#3
Updated by Jim Pingle over 1 year ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Fixed in ACME 0.5.8
#4
Updated by Jim Pingle over 1 year ago
- Private changed from Yes to No
#5
Updated by Jim Pingle over 1 year ago
- Status changed from Feedback to Resolved