CVE-2023-39008
- EPSS 2.56%
- Veröffentlicht 09.08.2023 19:15:15
- Zuletzt bearbeitet 21.11.2024 08:14:36
A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.
CVE-2023-39007
- EPSS 2.32%
- Veröffentlicht 09.08.2023 19:15:15
- Zuletzt bearbeitet 21.11.2024 08:14:36
/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.
CVE-2023-39006
- EPSS 0.41%
- Veröffentlicht 09.08.2023 19:15:15
- Zuletzt bearbeitet 21.11.2024 08:14:36
The Crash Reporter (crash_reporter.php) component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 mishandles input sanitization.
CVE-2023-39005
- EPSS 0.6%
- Veröffentlicht 09.08.2023 19:15:15
- Zuletzt bearbeitet 21.11.2024 08:14:36
Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2.
CVE-2023-39004
- EPSS 0.79%
- Veröffentlicht 09.08.2023 19:15:15
- Zuletzt bearbeitet 09.07.2026 01:18:34
Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escal...
CVE-2023-39002
- EPSS 1.16%
- Veröffentlicht 09.08.2023 19:15:14
- Zuletzt bearbeitet 21.11.2024 08:14:36
A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2023-38997
- EPSS 1.14%
- Veröffentlicht 09.08.2023 19:15:14
- Zuletzt bearbeitet 21.11.2024 08:14:35
A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive.
CVE-2023-38998
- EPSS 0.51%
- Veröffentlicht 09.08.2023 19:15:14
- Zuletzt bearbeitet 21.11.2024 08:14:35
An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.
CVE-2023-38999
- EPSS 0.33%
- Veröffentlicht 09.08.2023 19:15:14
- Zuletzt bearbeitet 21.11.2024 08:14:35
A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
CVE-2023-39000
- EPSS 0.5%
- Veröffentlicht 09.08.2023 19:15:14
- Zuletzt bearbeitet 21.11.2024 08:14:35
A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path.