CVE-2015-6509 - Letterless Network

Description

Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) proxypass parameter to system_advanced_misc.php; (2) adaptiveend (3) adaptivestart (4) maximumstates (5) maximumtableentries or (6) aliasesresolveinterval parameter to system_advanced_firewall.php; (7) proxyurl (8) proxyuser or (9) proxyport parameter to system_advanced_misc.php; or (10) name (11) notification_name (12) ipaddress (13) password (14) smtpipaddress (15) smtpport (16) smtpfromaddress (17) smtpnotifyemailaddress (18) smtpusername or (19) smtppassword parameter to system_advanced_notifications.php.

Reference

https://www.pfsense.org/security/advisories/pfSense-SA-15_06.webgui.asc Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) proxypass parameter to system_advanced_misc.php; (2) adaptiveend (3) adaptivestart (4) maximumstates (5) maximumtableentries or (6) aliasesresolveinterval parameter to system_advanced_firewall.php; (7) proxyurl (8) proxyuser or (9) proxyport parameter to system_advanced_misc.php; or (10) name (11) notification_name (12) ipaddress (13) password (14) smtpipaddress (15) smtpport (16) smtpfromaddress (17) smtpnotifyemailaddress (18) smtpusername or (19) smtppassword parameter to system_advanced_notifications.php.