An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.
https://redmine.pfsense.org/issues/10355
https://github.com/pfsense/pfsense/commit/cc3990a334059018b004c91eeb66c147d8afe83d
https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-new-features-and-changes.html
Source: Mitre, NVD
Published: 2020-04-29
Updated: 2026-06-17
Base Score: 4.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: Medium
Base Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS: 0.0152