CVE-2018-4020

Exploit

EPSS 85.97%
Published 03.12.2018 22:29:00
Last modified 21.11.2024 04:06:31
Source talos-cna@cisco.com
Teams watchlist Login
Open Login

An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_ac_mode` POST parameter parameter.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Netgate ≫ Pfsense Version2.4.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	85.97%	0.993

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
talos-cna@cisco.com	7.2	1.2	5.9	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0690

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2018-4020

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-4020

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-4020

EUVD