OPNsense Cross-Site Scripting Vulnerability in diag_backup.php

A cross-site scripting (XSS) vulnerability has been identified in OPNsense version 19.1, specifically within the diag_backup.php endpoint. This vulnerability allows attackers to inject malicious scripts through several parameters, including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. Exploitation involves sending POST requests with script payloads in these parameters, which are then executed as arbitrary JavaScript in the context of authenticated administrator sessions.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's session.

Reproduction

The vulnerability can be reproduced by sending a POST request to the diag_backup.php endpoint with a script payload in one of the vulnerable parameters. This can be done using a web application testing tool or by manually crafting the request to include the malicious script in the specified parameter.

Remediation

Users are advised to update to OPNsense version 19.1.1, which addresses this cross-site scripting vulnerability.