CVE-2023-42325

Name of the Vulnerable Software and Affected Versions Netgate pfSense version 2.7.0 Netgate pfSense CE versions 2.7.0 and below Netgate pfSense Plus versions 23.05.1 and below

Description The issue is related to a Cross Site Scripting (XSS) vulnerability in the status logs filter dynamic.php component of Netgate pfSense. This vulnerability can be exploited by a remote attacker to gain privileges via a crafted URL to the status logs filter dynamic.php page. By combining vulnerabilities, an attacker can force a user to activate an XSS payload and achieve Remote Code Execution (RCE).

Recommendations For Netgate pfSense version 2.7.0, consider disabling access to the status logs filter dynamic.php page until a patch is available. For Netgate pfSense CE versions 2.7.0 and below, restrict access to the vulnerable component to minimize the risk of exploitation. For Netgate pfSense Plus versions 23.05.1 and below, avoid using the crafted URL to the status logs filter dynamic.php page until the issue is resolved. As a temporary workaround, consider disabling the vulnerable function related to the status logs filter dynamic.php page until a patch is available.