CVE-2019-18667

Name of the Vulnerable Software and Affected Versions freeradius3 package versions prior to 0.15.7 3 for pfSense on FreeBSD

Description The issue allows a user with an XSS payload as username or password to execute arbitrary JavaScript code on a victim's browser. This is due to a vulnerability in the /usr/local/www/freeradius view config.php file.

Recommendations For freeradius3 package versions prior to 0.15.7 3, update to version 0.15.7 3 or later to resolve the issue. As a temporary workaround, consider restricting access to the /usr/local/www/freeradius view config.php file to minimize the risk of exploitation. Avoid using XSS payloads in the username or password fields until the issue is resolved.