CVE-2024-57273

Name of the Vulnerable Software and Affected Versions: Netgate pfSense CE versions prior to 2.8.0 beta release Netgate pfSense CE corresponding Plus builds versions prior to 2.8.0 beta release

Description: The issue allows remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized reason field and a derivable device key generated from the public SSH key. This is due to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service.

Recommendations: For versions prior to 2.8.0 beta release, update to version 2.8.0 beta or later to resolve the issue. As a temporary workaround, consider restricting access to the Automatic Configuration Backup (ACB) service until a patch is available. Avoid using the unsanitized reason field in the ACB service until the issue is resolved.