Advisory Details

Stored XSS in Administration Settings via Certificate Description

CVSS 3.1:5.2 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
Attack VectorN/A
Attack ComplexityN/A
Privileges RequiredN/A
User InteractionN/A
ScopeN/A
ConfidentialityN/A
IntegrityN/A
AvailabilityN/A
Software:OPNsense
Published:01.07.2026
CVE:CVE-2026-58394 ↗
Credits:Jonas Ampferl
External Advisory:Check out the external advisory ↗

Summary

The “SSL Certificate” selector in System -> Settings -> Administration (system_advanced_admin.php) renders the certificates free-text Description (descr) without HTML escaping. The descr validator (DescriptionField, mask /^(.){1,255}$/) permits all HTML metacharacters, so a description containing a <script> tag is stored directly and executes as stored XSS in the session of any user who opens the Administration page. A user with the certificate-management privilege can therefore store cross-site scripting that runs in the session of any user/administrator who opens the Administration page.

Details

Root cause

The certificate description is stored directly in config.xml and emitted into the dropdown without escaping:

# src/www/system_advanced_admin.php
# line 402 - the certificate list reads straight from the config
$a_cert = config_read_array('cert', false);
...
# line 416 and 417 - the page only escapes the edited form data and the group list
legacy_html_escape_form_data($pconfig);
legacy_html_escape_form_data($a_group);     
# $a_cert IS SKIPPED
...
# line 564-567 - the cert description is echoed raw into the <option> body
foreach ($a_cert as $cert):
    <option value="..."> <?= $cert['descr']; ?> </option>   <!-- VULNERABLE SINK -->

$a_cert is read directly from the configuration and rendered without escaping. The descr field uses DescriptionField with the mask /^(.){1,255}$/ (any character except line feed, up to 255 characters in total), which permits all HTML characters (so a simple <script>...</script> payload works).

Proof of Concept

As a user with the certificate-management privilege (page-system-trust-cert), create a new certificate at System -> Trust -> Certificates (/ui/trust/cert) and set its Description(descr) to the payload:

<script>alert(1337)</script>

Certificate description field storing the script payload
Certificate description field storing the script payload

Open System -> Settings -> Administration (/system_advanced_admin.php). The “SSL Certificate” <select> renders $cert['descr'] raw, so the stored script executes in the session!

Stored XSS payload firing on the Administration settings page
Stored XSS payload firing on the Administration settings page

Impact

A user with the certificate-management privilege (page-system-certmanager) can store javascript that runs in the GUI session of an administrator, who opens the System -> Settings -> Administration page. That could lead to the theft of the CSRF token and execution of authenticated actions as the victim.

References

Könnte deine Anwendung auch Lücken haben?

In unserem Hacking Cult Bootcamp durchläufst du in 4 Wochen einen strukturierten Security-Check. Von Grundlagenwissen, um zu prüfen, wo dein Team wirklich steht, bis hin zum konkreten Schwachstellen-Scan deiner Webanwendung. Und das komplett kostenlos!

Melde dich!

Hacking Cult GmbH

Gerolfinger Str. 106
85049 Ingolstadt

+49 (841) 9937 3456
ops[LOESCH-MICH-SPAMSCHUTZ]@[LOESCH-MICH-AUCH]hackingcult.de

LinkedIn Unternehmensseite
Facebook Account
Hacking Cult Youtube Channel
Hacking Cult Instagram account