CVE-2014-4687 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the starttime0 parameter to firewall_schedule.php (2) the rssfeed parameter to rss.widget.php (3) the servicestatusfilter parameter to services_status.widget.php (4) the txtRecallBuffer parameter to exec.php or (5) the HTTP Referer header to log.widget.php.

Reference

https://pfsense.org/security/advisories/pfSense-SA-14_09.webgui.asc