Bug #9584: Potential XSS in services_acb.php via hostname parameter with legacy settings - pfSense - pfSense bugtracker

Actions

Copy link

Bug #9584

closed

Potential XSS in services_acb.php via hostname parameter with legacy settings

Added by Jim Pingle almost 5 years ago. Updated about 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

Backup / Restore

Target version:

2.4.5

Start date:

06/13/2019

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

If legacy settings are configured in ACB, there is a potential XSS vector in services_acb.php via the hostname parameter which is printed back to the user without encoding.

To reproduce, setup legacy settings in ACB and then load a URL such as https://x.x.x.x/services_acb.php?hostname=%3Cscript%3Ealert(0);%3C/script%3E&legacy=true

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #9584

Potential XSS in services_acb.php via hostname parameter with legacy settings

Updated by Jim Pingle almost 5 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle about 4 years ago