Signature Detail
This site is deprecated. Please CLICK HERE for latest updates
Short Name |
HTTP:PFSENSE-ZONE-CSS |
|---|---|
Severity |
Major |
Recommended |
Yes |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
pfSense WebGUI Zone Parameter Cross-Site Scripting |
Release Date |
2015/08/27 |
Update Number |
2529 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
HTTP: pfSense WebGUI Zone Parameter Cross-Site Scripting
A cross-site scripting vulnerability has been reported in pfSense. The vulnerability is due to services_captiveportal_zones.php not validating the zone parameter when the act parameter is set to del. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted link. Successful exploitation will result in the attacker-controlled script code being executed in the target user's browser in the context of the affected site.
Extended Description
Cross-site scripting (XSS) vulnerability in the WebGUI in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the zone parameter in a del action to services_captiveportal_zones.php.
Affected Products
- Netgate pfsense 2.2.2
References
- CVE: CVE-2015-4029