8.8
CVE-2023-27253
- EPSS 90.66%
- Veröffentlicht 17.03.2023 22:15:11
- Zuletzt bearbeitet 21.11.2024 07:52:31
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 90.66% | 0.998 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-91 XML Injection (aka Blind XPath Injection)
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html
https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94
https://redmine.pfsense.org/issues/13935