6.1

CVE-2019-12347

Exploit
In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NetgatePfsense Version2.4.4 Updatep3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 58.58% 0.99
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://packetstormsecurity.com/files/153112/pfSense-2.4.4-p3-Cross-Site-Scripting.html
Third Party Advisory
Exploit
VDB Entry
https://ctrsec.io/index.php/2019/05/28/stored-xss-acme-pfsense-2-4-4-p3/
Patch
Third Party Advisory
Exploit
https://github.com/pfsense/FreeBSD-ports/commit/504909564079e540689dbdbed3a579483c614275
Patch
Third Party Advisory
https://redmine.pfsense.org/issues/9554#change-40729
Vendor Advisory
Exploit
https://www.pfsense.org/download/
Vendor Advisory