OPNSense/core c930ab5src/opnsense/scripts/syslog lockout_handler, src/opnsense/service/templates/OPNsense/Syslog syslog-ng-lockout.conf

system: lockout: address newline injection and correct IP parsing

PR: GHSA-2v2x-m4j7-76pv
(cherry picked from commit 8bdaad95f405f4587bb83bf35aa652ca493cc2a4)
DeltaFile
+5-0src/opnsense/service/templates/OPNsense/Syslog/syslog-ng-lockout.conf
+1-1src/opnsense/scripts/syslog/lockout_handler
+6-12 files

OPNSense/core 631e147src/opnsense/mvc/app/controllers/OPNsense/Base ApiMutableModelControllerBase.php

mvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashes

PR: GHSA-98h6-479q-9q3w
(cherry picked from commit d7054cef69f72588feac1091254960835be19dfe)
DeltaFile
+3-1src/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php
+3-11 files

OPNSense/core adcb02fsrc/www system_advanced_admin.php

System: Settings: Administration - add missing legacy_html_escape_form_data for $a_cert

PR: GHSA-8pgr-x852-qx4j
(cherry picked from commit 9d0a590e9c49f4374a5539929b366123f63bc9eb)
DeltaFile
+1-0src/www/system_advanced_admin.php
+1-01 files

OPNSense/core a92d951src/etc/inc/plugins.inc.d ntpd.inc, src/www services_ntpd_gps.php

network time: fix stored XSS in GPS init string display

Squelch a PHP warning and change the way the default init
command string is used.

PR: GHSA-h793-67jm-j4m5
(cherry picked from commit ed04a154dc40967541be1388e9134e451be4199e)
DeltaFile
+3-2src/www/services_ntpd_gps.php
+2-1src/etc/inc/plugins.inc.d/ntpd.inc
+5-32 files

OPNSense/core 5e6313fsrc/opnsense/mvc/app/views/OPNsense/Firewall filter_rule.volt nat_rule.volt

firewall: escape user-controlled values in tooltip attributes

PR: GHSA-2xrm-p255-p43h
(cherry picked from commit fb3b8a07f407ce281b1dde748706acbb0bc514ce)
DeltaFile
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/filter_rule.volt
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+4-42 files

OPNSense/core e7fbfaasrc/opnsense/scripts/filter/lib/alias geoip.py

Firewall: Aliases - safeguard ISO country codes in alias download

PR: GHSA-wjqq-rfmm-v5h3
(cherry picked from commit c46aced9c47d956167e294911113bc334fea5f48)
DeltaFile
+2-2src/opnsense/scripts/filter/lib/alias/geoip.py
+2-21 files

OPNSense/core 11180dasrc/opnsense/mvc/app/views/OPNsense/OpenVPN status.volt, src/opnsense/www/js/widgets OpenVPNClients.js

openvpn: escape client common_name in connection-status views (stored XSS)

The OpenVPN connection-status widget and the connection-status page render
the client common_name into an HTML attribute (data-common-name /
data-common_name) without escaping the double quote, so a common_name
containing a quote breaks out of the attribute. With username-as-common-name
plus a RADIUS/LDAP backend the common_name is an attacker-chosen value.
Escape the quote before placing it in the attribute.

PR: GHSA-26cj-h9rj-g5pf
(cherry picked from commit e7b2ac8093f804bef8eb88dfa9a0d99fad00c12b)
DeltaFile
+1-1src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt
+1-1src/opnsense/www/js/widgets/OpenVPNClients.js
+2-22 files

OPNSense/core 3af4961src/etc/inc/plugins.inc.d openvpn.inc, src/opnsense/mvc/app/models/OPNsense/OpenVPN OpenVPN.xml

openvpn: prevent path traversal in "common_name" attribute

PR: GHSA-2m9v-p7r9-gfcw
(cherry picked from commit 6101b3e2c90482111f420a47775c14a447441a72)
DeltaFile
+3-2src/etc/inc/plugins.inc.d/openvpn.inc
+3-1src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
+6-32 files

OPNSense/core 52b18e6src/opnsense/mvc/app/models/OPNsense/Dnsmasq Dnsmasq.xml, src/opnsense/mvc/app/models/OPNsense/Firewall Filter.xml

src: configuration line injection via multiple GUI text fields

PR: GHSA-fq94-cxvc-9r7w
Co-authored-by: Franco Fichtner <franco at opnsense.org>
(cherry picked from commit 6c3be9a11699879fe50aea1c30e50de5864601d7)
DeltaFile
+23-20src/opnsense/mvc/app/models/OPNsense/Monit/Monit.xml
+24-9src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+8-6src/www/system_general.php
+6-4src/opnsense/mvc/app/models/OPNsense/Dnsmasq/Dnsmasq.xml
+4-4src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+4-4src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml
+69-477 files not shown
+90-5913 files

OPNSense/core fb3b8a0src/opnsense/mvc/app/views/OPNsense/Firewall filter_rule.volt nat_rule.volt

firewall: escape user-controlled values in tooltip attributes

PR: GHSA-2xrm-p255-p43h
DeltaFile
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/filter_rule.volt
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+4-42 files

OPNSense/core d7054cesrc/opnsense/mvc/app/controllers/OPNsense/Base ApiMutableModelControllerBase.php

mvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashes

PR: GHSA-98h6-479q-9q3w
DeltaFile
+3-1src/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php
+3-11 files

OPNSense/core c46acedsrc/opnsense/scripts/filter/lib/alias geoip.py

Firewall: Aliases - safeguard ISO country codes in alias download

PR: GHSA-wjqq-rfmm-v5h3
DeltaFile
+2-2src/opnsense/scripts/filter/lib/alias/geoip.py
+2-21 files

OPNSense/core 8bdaad9src/opnsense/scripts/syslog lockout_handler, src/opnsense/service/templates/OPNsense/Syslog syslog-ng-lockout.conf

system: lockout: address newline injection and correct IP parsing

PR: GHSA-2v2x-m4j7-76pv
DeltaFile
+5-0src/opnsense/service/templates/OPNsense/Syslog/syslog-ng-lockout.conf
+1-1src/opnsense/scripts/syslog/lockout_handler
+6-12 files

OPNSense/core 9d0a590src/www system_advanced_admin.php

System: Settings: Administration - add missing legacy_html_escape_form_data for $a_cert

PR: GHSA-8pgr-x852-qx4j
DeltaFile
+1-0src/www/system_advanced_admin.php
+1-01 files

OPNSense/core 6101b3esrc/etc/inc/plugins.inc.d openvpn.inc, src/opnsense/mvc/app/models/OPNsense/OpenVPN OpenVPN.xml

openvpn: prevent path traversal in "common_name" attribute

PR: GHSA-2m9v-p7r9-gfcw
DeltaFile
+3-2src/etc/inc/plugins.inc.d/openvpn.inc
+3-1src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
+6-32 files

OPNSense/core ed04a15src/etc/inc/plugins.inc.d ntpd.inc, src/www services_ntpd_gps.php

network time: fix stored XSS in GPS init string display

Squelch a PHP warning and change the way the default init
command string is used.

PR: GHSA-h793-67jm-j4m5
DeltaFile
+3-2src/www/services_ntpd_gps.php
+2-1src/etc/inc/plugins.inc.d/ntpd.inc
+5-32 files

OPNSense/core e7b2ac8src/opnsense/mvc/app/views/OPNsense/OpenVPN status.volt, src/opnsense/www/js/widgets OpenVPNClients.js

openvpn: escape client common_name in connection-status views (stored XSS)

The OpenVPN connection-status widget and the connection-status page render
the client common_name into an HTML attribute (data-common-name /
data-common_name) without escaping the double quote, so a common_name
containing a quote breaks out of the attribute. With username-as-common-name
plus a RADIUS/LDAP backend the common_name is an attacker-chosen value.
Escape the quote before placing it in the attribute.

PR: GHSA-26cj-h9rj-g5pf
DeltaFile
+1-1src/opnsense/www/js/widgets/OpenVPNClients.js
+1-1src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt
+2-22 files

OPNSense/core 6c3be9asrc/opnsense/mvc/app/models/OPNsense/Dnsmasq Dnsmasq.xml, src/opnsense/mvc/app/models/OPNsense/Firewall Filter.xml

src: configuration line injection via multiple GUI text fields

PR: GHSA-fq94-cxvc-9r7w
Co-authored-by: Franco Fichtner <franco at opnsense.org>
DeltaFile
+23-20src/opnsense/mvc/app/models/OPNsense/Monit/Monit.xml
+24-9src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+8-6src/www/system_general.php
+6-4src/opnsense/mvc/app/models/OPNsense/Dnsmasq/Dnsmasq.xml
+4-4src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+4-4src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml
+69-477 files not shown
+90-5913 files

OPNSense/core 5217d7dsrc/opnsense/scripts/captiveportal/lib db.py

captive portal: prevent having to maintain a default here as well
DeltaFile
+35-12src/opnsense/scripts/captiveportal/lib/db.py
+35-121 files

OPNSense/core 369e983src/opnsense/scripts/captiveportal process_accounting_messages.php, src/opnsense/scripts/captiveportal/lib db.py

captive portal: move defaults to database, but ensure consistency on the upsert
DeltaFile
+4-3src/opnsense/scripts/captiveportal/lib/db.py
+2-2src/opnsense/scripts/captiveportal/sql/init.sql
+1-1src/opnsense/scripts/captiveportal/process_accounting_messages.php
+7-63 files

OPNSense/core 6f86d61src/opnsense/scripts/syslog lockout_handler, src/opnsense/service/templates/OPNsense/Syslog syslog-ng-lockout.conf

system: lockout: address newline injection and correct IP parsing

PR: GHSA-2v2x-m4j7-76pv
DeltaFile
+5-0src/opnsense/service/templates/OPNsense/Syslog/syslog-ng-lockout.conf
+1-1src/opnsense/scripts/syslog/lockout_handler
+6-12 files

OPNSense/core 863cb8asrc/www system_advanced_admin.php

System: Settings: Administration - add missing legacy_html_escape_form_data for $a_cert

PR: GHSA-8pgr-x852-qx4j
DeltaFile
+1-0src/www/system_advanced_admin.php
+1-01 files

OPNSense/core fdcd3e4src/opnsense/mvc/app/controllers/OPNsense/Base ApiMutableModelControllerBase.php

mvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashes

PR: GHSA-98h6-479q-9q3w
DeltaFile
+3-1src/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php
+3-11 files

OPNSense/core 3f746a5src/etc/inc/plugins.inc.d ntpd.inc, src/www services_ntpd_gps.php

network time: fix stored XSS in GPS init string display

Squelch a PHP warning and change the way the default init
command string is used.

PR: GHSA-h793-67jm-j4m5
DeltaFile
+3-2src/www/services_ntpd_gps.php
+2-1src/etc/inc/plugins.inc.d/ntpd.inc
+5-32 files

OPNSense/core 045ed70src/opnsense/mvc/app/views/OPNsense/Firewall filter_rule.volt nat_rule.volt

firewall: escape user-controlled values in tooltip attributes

PR: GHSA-2xrm-p255-p43h
DeltaFile
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/filter_rule.volt
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+4-42 files

OPNSense/core 7c8ab69src/opnsense/scripts/filter/lib/alias geoip.py

Firewall: Aliases - safeguard ISO country codes in alias download

PR: GHSA-wjqq-rfmm-v5h3
DeltaFile
+2-2src/opnsense/scripts/filter/lib/alias/geoip.py
+2-21 files

OPNSense/core 03d1336src/opnsense/mvc/app/views/OPNsense/OpenVPN status.volt, src/opnsense/www/js/widgets OpenVPNClients.js

openvpn: escape client common_name in connection-status views (stored XSS)

The OpenVPN connection-status widget and the connection-status page render
the client common_name into an HTML attribute (data-common-name /
data-common_name) without escaping the double quote, so a common_name
containing a quote breaks out of the attribute. With username-as-common-name
plus a RADIUS/LDAP backend the common_name is an attacker-chosen value.
Escape the quote before placing it in the attribute.

PR: GHSA-26cj-h9rj-g5pf
DeltaFile
+1-1src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt
+1-1src/opnsense/www/js/widgets/OpenVPNClients.js
+2-22 files

OPNSense/core e850053src/etc/inc/plugins.inc.d openvpn.inc, src/opnsense/mvc/app/models/OPNsense/OpenVPN OpenVPN.xml

openvpn: prevent path traversal in "common_name" attribute

PR: GHSA-2m9v-p7r9-gfcw
DeltaFile
+3-2src/etc/inc/plugins.inc.d/openvpn.inc
+3-1src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
+6-32 files

OPNSense/core 679de42src/opnsense/mvc/app/models/OPNsense/Dnsmasq Dnsmasq.xml, src/opnsense/mvc/app/models/OPNsense/Firewall Filter.xml

src: configuration line injection via multiple GUI text fields

PR: GHSA-fq94-cxvc-9r7w
Co-authored-by: Franco Fichtner <franco at opnsense.org>
DeltaFile
+23-20src/opnsense/mvc/app/models/OPNsense/Monit/Monit.xml
+24-9src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+8-6src/www/system_general.php
+6-4src/opnsense/mvc/app/models/OPNsense/Dnsmasq/Dnsmasq.xml
+4-4src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+4-4src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml
+69-477 files not shown
+90-5913 files

OPNSense/core 67ea4adsrc/opnsense/scripts/wireguard reresolve-dns.py

VPN: WireGuard - add allowed-ips to reresolve-dns.py in case none are set yet, closes https://github.com/opnsense/core/issues/10475
DeltaFile
+24-1src/opnsense/scripts/wireguard/reresolve-dns.py
+24-11 files