Critical Vulnerability Information Vulnerability Description Issue: Multiple issues in Dashboard widget key handling, stemming from insufficient validation of Dashboard widget keys. Affected Versions: - pfSense Plus: Versions 24.11 and earlier - pfSense CE: Versions 2.7.2 and earlier Impact Potential Risks: - Malicious clients can fill the parameter with invalid data, leading to misconfigurations and potential XSS attack vectors. - Submitting a value containing XML may render the configuration unreadable, disrupt GUI access, and potentially cause system crashes. - Lack of secure encoding for certain values may leave some widgets vulnerable to XSS attacks, posing a risk of arbitrary JavaScript code execution. Remediation Upgrade Recommendation: - Upgrade to pfSense Plus 25.03 or later, or pfSense CE 2.8.0 or later (when available). - Apply fixes using the recommended patch list, or manually apply relevant revisions. Workaround Temporary Mitigations: - Restrict access to affected pages to trusted administrators only. - Do not grant users unnecessary write configuration permissions. - Avoid logging into the firewall using the same browser used for non-administrative web browsing. References Redmine Issue Installation Guide System Patches