Bug #9554: Stored XSS in ACME Package (version 0.5.7_1) /acme/acme_accountkeys_edit.php - pfSense Packages - pfSense bugtracker

Actions

Copy link

Bug #9554

closed

Stored XSS in ACME Package (version 0.5.7_1) /acme/acme_accountkeys_edit.php

Added by Chi Tran almost 5 years ago. Updated over 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

ACME

Target version:

Start date:

05/25/2019

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Affected Version:

2.4.4-p3

Affected Plus Version:

Affected Architecture:

amd64

Description

Stored XSS vulnerability occurs due to input validation errors in "Name" and "Description" fields when adding new account key.

Remediation:
- HTML Escape on those parameters would probably fix the issue.

Proof of Concept:
- See attached picture

Files

Stored XSS.PNG (34.4 KB) Stored XSS.PNG

Chi Tran, 05/25/2019 04:05 PM

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense » pfSense Packages

Custom queries

Bug #9554

Stored XSS in ACME Package (version 0.5.7_1) /acme/acme_accountkeys_edit.php

Updated by Jim Pingle almost 5 years ago

Updated by Jim Pingle almost 5 years ago

Updated by Jim Pingle almost 5 years ago

Updated by Jim Pingle almost 5 years ago

Updated by Jim Pingle over 4 years ago