Netgate

Pfsense

53 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2023-27253

  • EPSS 80.44%
  • Published 17.03.2023 22:15:11
  • Last modified 21.11.2024 07:52:31

A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

6.1

CVE-2022-29273

  • EPSS 45.07%
  • Published 22.02.2023 21:15:11
  • Last modified 21.11.2024 06:58:50

pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.

6.1

CVE-2020-21219

  • EPSS 0.22%
  • Published 15.12.2022 19:15:15
  • Last modified 25.04.2025 15:15:29

Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package.

8.8

CVE-2022-26019

  • EPSS 0.25%
  • Published 31.03.2022 08:15:08
  • Last modified 21.11.2024 06:53:19

Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite exi...

8.8

CVE-2022-24299

  • EPSS 0.22%
  • Published 31.03.2022 08:15:08
  • Last modified 21.11.2024 06:50:07

Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server sett...

5.4

CVE-2020-19203

  • EPSS 1.2%
  • Published 12.07.2021 16:15:08
  • Last modified 21.11.2024 05:09:01

An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of...

5.4

CVE-2020-19201

Exploit
  • EPSS 0.8%
  • Published 12.07.2021 16:15:08
  • Last modified 21.11.2024 05:09:01

A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stor...

6.1

CVE-2020-10797

  • EPSS 2.09%
  • Published 29.04.2020 14:15:16
  • Last modified 21.11.2024 04:56:05

An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.

5.4

CVE-2020-11457

  • EPSS 3.82%
  • Published 01.04.2020 16:15:27
  • Last modified 21.11.2024 04:57:57

pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user.

8.8

CVE-2019-16667

Exploit
  • EPSS 53.72%
  • Published 26.09.2019 19:15:12
  • Last modified 21.11.2024 04:30:56

diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token...