CVE-2020-21219: 
NixOS vulnerability analysis and mitigation

Cross Site Scripting (XSS) vulnerability exists in Netgate pfSense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 that allows remote attackers to run arbitrary code via the RootFolder field to acmecertificateedit.php page of the ACME package (NVD).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 Base Score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The vulnerability stems from improper neutralization of input during web page generation in the ACME package's certificate editing functionality (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary code in the context of the user's browser session, potentially leading to unauthorized access to sensitive information or manipulation of the ACME package's functionality (NVD).

A patch has been released that prevents ACME output from being interpreted as HTML. The fix includes modifying the code to use text() instead of html() for output handling and proper escaping of command output. Users should upgrade to ACME package version 0.6.3-1 or later (FreeBSD Ports).