CVE-2023-27253

EPSS 80.44%
Published 17.03.2023 22:15:11
Last modified 21.11.2024 07:52:31
Source cve@mitre.org
Teams watchlist Login
Open Login

A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Netgate ≫ Pfsense Version2.7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	80.44%	0.991

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html

https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94

Patch

https://redmine.pfsense.org/issues/13935

Patch

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-27253

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-27253

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-27253

EUVD