Total
48 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-42327 | 1 Netgate | 1 Pfsense | 2023-12-12 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page. | |||||
| CVE-2023-42326 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2023-12-12 | N/A | 8.8 HIGH |
| An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components. | |||||
| CVE-2023-42325 | 1 Netgate | 1 Pfsense | 2023-12-12 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page. | |||||
| CVE-2023-48123 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2023-12-12 | N/A | 8.8 HIGH |
| An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file. | |||||
| CVE-2022-26019 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2023-08-08 | 8.5 HIGH | 8.8 HIGH |
| Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution. | |||||
| CVE-2023-27253 | 1 Netgate | 1 Pfsense | 2023-07-13 | N/A | 8.8 HIGH |
| A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml. | |||||
| CVE-2022-29273 | 1 Netgate | 1 Pfsense | 2023-04-10 | N/A | 6.1 MEDIUM |
| pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters. | |||||
| CVE-2020-21487 | 1 Netgate | 2 Pfsense, Pfsense Acme Package | 2023-04-10 | N/A | 9.6 CRITICAL |
| Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php. | |||||
| CVE-2020-21219 | 1 Netgate | 2 Acme, Pfsense | 2022-12-19 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package. | |||||
| CVE-2018-4021 | 1 Netgate | 1 Pfsense | 2022-06-07 | 6.5 MEDIUM | 7.2 HIGH |
| An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_battery_mode` POST parameter. | |||||
| CVE-2018-4020 | 1 Netgate | 1 Pfsense | 2022-06-07 | 6.5 MEDIUM | 7.2 HIGH |
| An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_ac_mode` POST parameter parameter. | |||||
| CVE-2018-4019 | 1 Netgate | 1 Pfsense | 2022-06-07 | 6.5 MEDIUM | 7.2 HIGH |
| An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_normal_mode` parameter. | |||||
| CVE-2020-19203 | 1 Netgate | 1 Pfsense | 2022-05-13 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS. | |||||
| CVE-2022-24299 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2022-04-07 | 6.5 MEDIUM | 8.8 HIGH |
| Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command. | |||||
| CVE-2020-19201 | 1 Netgate | 1 Pfsense | 2021-09-14 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules. | |||||
| CVE-2019-16915 | 1 Netgate | 1 Pfsense | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents. | |||||
| CVE-2019-12585 | 2 Apcupsd, Netgate | 2 Apcupsd, Pfsense | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php. | |||||
| CVE-2019-11816 | 2 Netgate, Opnsense | 2 Pfsense, Opnsense | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request. | |||||
| CVE-2018-20798 | 1 Netgate | 1 Pfsense | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The expiretable configuration in pfSense 2.4.4_1 establishes block durations that are incompatible with the block durations implemented by sshguard, which might make it easier for attackers to bypass intended access restrictions. | |||||
| CVE-2019-16667 | 1 Netgate | 1 Pfsense | 2020-07-27 | 6.8 MEDIUM | 8.8 HIGH |
| diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing. | |||||