Netgate Security Advisory
pfSense Plus Software Version 23.01
pfSense® Plus software 23.01-RELEASE includes fixes for multiple potential vulnerabilities:
pfSense Plus Security Advisories:
- pfSense-SA-23_01.webgui: A potential XSS vulnerability in diag_edit.php from browsing directories containing specially crafted filenames on the filesystem.
- pfSense-SA-23_02.webgui: A potential XSS vulnerability in system_camanager.php and system_certmanager.php from specially crafted descriptions when editing entries.
- pfSense-SA-23_03.webgui: A potential authenticated arbitrary file creation vulnerability from the name parameter when creating or editing URL table aliases.
- pfSense-SA-23_04.webgui: A potential authenticated arbitrary command execution vulnerability in status.php from specially crafted filenames on the filesystem.
- pfSense-SA-23_05.sshguard: Anti-brute force protection bypass for GUI authentication requests containing certain proxy headers.
Users of pfSense Plus 22.05.x and pfSense CE 2.6.0 can obtain corrections for these issues from the Recommended Patches area of the System Patches package (https://docs.netgate.com/pfsense/en/latest/development/system-patches.html)
Additionally, pfSense Plus 22.05-RELEASE included a fix for one vulnerability for which we did not previously publish an advisory:
Users of pfSense CE 2.6.0 can obtain a correction for this issue from the Recommended Patches area of the System Patches package (https://docs.netgate.com/pfsense/en/latest/development/system-patches.html).
For more information on this issue, read the signed advisories linked above.
This message is sent on behalf of Netgate®. To ensure delivery to your inbox, please add doug@netgate.com to your address book or safe sender list.
© Copyright 2023 Rubicon Communications, LLC
Netgate is a registered trademark of Rubicon Communications, LLC
pfSense is a registered trademark of Electric Sheep Fencing, LLC
Other trademarks are the property of their respective owners.
