-01.png?width=926&height=181&name=Netgate%20Logo%20PMS%20(horizontal)-01.png "Netgate Main Logo")
%201.png?width=302&name=Netgate%20Logo%20PMS%20(horizontal)%201.png "NetgateColorLogoRegisteredRGB.png")
pfSense® Plus software, the world’s leading firewall, router, and VPN solution, provides secure network edge and cloud networking solutions for millions of deployments worldwide.
The upcoming releases of pfSense Plus 25.03 and CE 2.8.0 software include several fixes for security issues. Details about some of these issues have been made public before the releases are finalized, so we have published fixes to address them for our current releases, pfSense Plus 24.11 and CE 2.7.2 software.
Users can install or update the System Patches Package and apply the fixes for these issues using the recommended patches function.
The available patches address the following issues:
- pfSense-SA-25_01.webgui: Multiple problems in Dashboard widget key handling which could lead to XSS, denial of service, or configuration corruption.
- pfSense-SA-25_02.webgui: OpenVPN management interface command injection from OpenVPN status and Dashboard widget.
- pfSense-SA-25_03.webgui: Potential XSS in the AutoConfigBackup backup list.
- pfSense-SA-25_04.webgui: Potential disclosure of AutoConfigBackup Device Key if SSH service is enabled and exposed to untrusted networks.
- pfSense-SA-25_05.webgui: Stored XSS in Firewall Schedules.
- pfSense-SA-25_06.webgui: Stored XSS in IPsec tunnel Phase 1 list.
- pfSense-SA-25_07.webgui: Stored XSS in Wake on LAN pages and Dashboard widget.
See our previous post about Using the System Patches Package for a walkthrough that covers these topics.