4.8 CVE-2024-46538

XSS Exploit
 

A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.
https://nvd.nist.gov/vuln/detail/CVE-2024-46538

Categories

CWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. A common abbreviation for Cross-Site Scripting. Used as a synonym of stored (Type 2) XSS. In the early years after initial discovery of XSS, "CSS" was a commonly-used acronym. However, this would cause confusion with "Cascading Style Sheets," so usage of this acronym has declined significantly. Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved. Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses. Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. With Struts, write all data from form beans with the bean's filter attribute set to true. To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth. When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues. Python Library Manager did not sufficiently neutralize a user-supplied search term, allowing reflected XSS. Python-based e-commerce platform did not escape returned content on error pages, allowing for reflected Cross-Site Scripting attacks. Universal XSS in mobile operating system, as exploited in the wild per CISA KEV. Chain: improper input validation (CWE-20) in firewall product leads to XSS (CWE-79), as exploited in the wild per CISA KEV. Admin GUI allows XSS through cookie. Web stats program allows XSS through crafted HTTP header. Web log analysis product allows XSS through crafted HTTP Referer header. Chain: protection mechanism failure allows XSS Chain: incomplete denylist (CWE-184) only checks "javascript:" tag, allowing XSS (CWE-79) using other tags Chain: incomplete denylist (CWE-184) only removes SCRIPT tags, enabling XSS (CWE-79) Reflected XSS using the PATH_INFO in a URL Reflected XSS not properly handled when generating an error message Reflected XSS sent through email message. Stored XSS in a security product. Stored XSS using a wiki page. Stored XSS in a guestbook application. Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag. Chain: library file is not protected against a direct request (CWE-425), leading to reflected XSS (CWE-79).

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:netgate:pfsense:2.5.2:*:*:*:*:*:*:*


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
https://github.com/EQSTLab/CVE-2024-46538

Other Nist (github, ...)

Url
https://github.com/physicszq/web_issue/blob/main/pfsense/interfaces_groups_ed...


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
209 XSS Using MIME Type Mismatch
Medium
588 DOM-Based XSS
Very High
591 Reflected XSS
Very High
592 Stored XSS
Very High
63 Cross-Site Scripting (XSS)
Very High
85 AJAX Footprinting
Low