cbcvebase.
CVE-2024-46538
published 2024-10-22

CVE-2024-46538: A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the…

PriorityP335medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
77.89%
99.5th percentile
A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
netgatepfsense

Detection & IOCsextracted from sources · hover to see the quote

url/interfaces_groups_edit.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PFsense Stored Cross-Site Scripting (CVE-2024-46538)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/interfaces_groups_edit.php"; fast_pattern; http.cookie; content:"PHPSESSID|3d|"; http.request_body; content:"__csrf_magic|3d|"; content:"ifname|3d|"; content:"descr|3d|"; content:"members"; pcre:"/^(?:%5[bB]%5[dD]|\x5b\x5d)\x3d[^\x25]*?(?:[\x20\x27\x22\x2f]on[a-z]+\x3d|(?:[^\x2f]s(?:cript[\x3a\x3e\x20\x2f]|tyle\x3d)|\x3ciframe[\x20\x2f]))/R"; content:"save|3d|"; reference:url,github.com/physicszq/web_issue/blob/main/pfsense/interfaces_groups_edit_file.md_xss.md; reference:cve,2024-46538; classtype:web-application-attack; sid:2057064; rev:1;)
  • Attack is delivered via HTTP POST to /interfaces_groups_edit.php; look for POST requests to this endpoint targeting pfSense hosts.
  • Malicious payload is injected into the POST body 'members' parameter (array-style, e.g. members[]=...) and must contain XSS vectors such as event handlers (onXxx=), <script>, style=, or <iframe> tags.
  • This is a Stored XSS; the payload persists via the $pconfig variable in interfaces_groups_edit.php and will execute in the browser of any admin who views the interface group.
  • Snort/Suricata SID 2057064 (ET, rev:1, created 2024-10-28) can be used to detect exploitation attempts at the network perimeter or on internal segments with TLS decryption enabled.
  • ·The vulnerability is confirmed in pfSense v2.5.2; deployments on this version should be prioritised for patching or WAF coverage.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.