CVE-2022-23993 - How a Simple Echo in pfSense’s pkg.php Opened the Door to XSS

If you run pfSense as your firewall, you know just how critical patches and security are. Today, we'll deep-dive into CVE-2022-23993—a now-fixed vulnerability that affected pfSense CE before 2.6. and pfSense Plus before 22.01. This bug let attackers inject raw HTML or JavaScript on the firewall’s web interface by exploiting a single unescaped variable in PHP.

If you’re using an older version of pfSense or just want to understand how a seemingly small coding oversight can open a big security hole, read on.

What is CVE-2022-23993?

CVE-2022-23993 is a cross-site scripting (XSS) vulnerability found in the /usr/local/www/pkg.php script of pfSense. It exists because the developers used user input directly in an output statement, without sanitizing it.

The problem lies in how the code uses $_REQUEST['pkg_filter']

echo $_REQUEST['pkg_filter'];

If a user sends a special request with a crafted pkg_filter parameter, the PHP script will print whatever is passed—HTML, JavaScript, you name it—right onto the page.

Why Does It Matter?

Cross-site scripting (XSS) lets an attacker inject malicious scripts into web pages viewed by other users. For something as important as a firewall like pfSense, this can mean:

Manipulating the pfSense UI: Trick users into making unwanted changes.

Even though traffic is often restricted to trusted internal networks, organizations often trust browser sessions on sensitive machines—so you don’t want XSS anywhere near your firewall's dashboard.

Here’s what the vulnerable code snippet in pkg.php looked like

<?php
// Extract filter parameter from URL or POST
$pkg_filter = $_REQUEST['pkg_filter'];

echo $pkg_filter; // <-- The dangerous part

No escaping, no filtering—whatever the user sends in pkg_filter is shown as is.

Exploiting the Vulnerability

To exploit CVE-2022-23993, an attacker would simply craft a link (especially if an admin is already logged in). Here’s an example:

URL:

https://your-pfsense.local/pkg.php?pkg_filter=%3Cscript%3Ealert('XSS!')%3C%2Fscript%3E

When an admin clicks the link or visits it, an alert box pops up—proof that the attacker’s script is running. A real-world exploit could be much more sophisticated, stealing cookies, sending requests, or modifying the web interface.

A POST request works too

POST /pkg.php HTTP/1.1
Host: your-pfsense.local
Content-Type: application/x-www-form-urlencoded

pkg_filter=<img src=x onerror=alert('XSS')>

How Was It Patched?

pfSense fixed this in version 2.6. (and pfSense Plus in 22.01) by properly escaping or filtering user input before outputting it. The best way to fix this type of vulnerability is using htmlspecialchars() in PHP:

echo htmlspecialchars($_REQUEST['pkg_filter'], ENT_QUOTES, 'UTF-8');

This ensures that anything sent as input is displayed as plain text, not interpreted as HTML or JavaScript.

References

* pfSense CE 2.6. Release Notes (Security Fixes)
* pfSense Official Security Advisories
* NVD CVE-2022-23993
* Original pfSense commit fixing the issue

Never trust user input in web apps: Always escape output.

3. Restrict access to the web UI: Limit access to trusted hosts/networks even if patched.

Wrapping Up

CVE-2022-23993 shows that even “little” mistakes—a missing htmlspecialchars()—can have severe effects, especially on security devices like pfSense. If you’re responsible for critical infrastructure, stay on top of security advisories, and always check how user input is handled.

If you want to learn more, check the original pfSense security announcement or browse the CVE entry at NIST NVD.

Timeline

Published on: 01/26/2022 19:15:00 UTC
Last modified on: 04/29/2022 19:32:00 UTC