CVE-2023-27253

EPSS 79.18%
Veröffentlicht 17.03.2023 22:15:11
Zuletzt bearbeitet 21.11.2024 07:52:31
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Netgate ≫ Pfsense Version2.7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	79.18%	0.99

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html

https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94

Patch

https://redmine.pfsense.org/issues/13935

Patch

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-27253

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-27253

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-27253

EUVD