During my internship at Orange's CERT I manage to find an XSS Vulnerability in OPNSense's' Firewall which could potentially lead to arbitrary administrator account creation via a Cross-site request forgery.