CVE-2010-4246 – pfSense 2 Beta 4 - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-4246
Multiple cross-site scripting (XSS) vulnerabilities in graph.php in pfSense 1.2.3 and 2 beta 4 allow remote attackers to inject arbitrary web script or HTML via the (1) ifnum or (2) ifname parameter, a different vulnerability than CVE-2008-1182. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en graph.php en pfSense v1.2.3 y v2 beta v4 permite a atacantes remotos ejecutar código web o HTML de su elección a través de los parámetros (1) ifnum o (2) ifname, una vulnerabilidad diferente a CVE-2008-1182. • https://www.exploit-db.com/exploits/34985 http://openwall.com/lists/oss-security/2010/11/22/18 http://openwall.com/lists/oss-security/2010/11/24/7 http://seclists.org/fulldisclosure/2010/Nov/43 http://secunia.com/advisories/42138 http://www.securityfocus.com/bid/44738 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-4412 – pfSense - 'interfaces.php?if' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4412
Multiple cross-site scripting (XSS) vulnerabilities in pfSense 2 beta 4 allow remote attackers to inject arbitrary web script or HTML via (1) the id parameter in an olsrd.xml action to pkg_edit.php, (2) the xml parameter to pkg.php, or the if parameter to (3) status_graph.php or (4) interfaces.php, a different vulnerability than CVE-2008-1182 and CVE-2010-4246. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en pfSense v2 beta 4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro id en una acción olsrd.xml a pkg_edit.php, (2) el parámetro xml a pkg.php, o el parámetro if a (3) status_graph.php o (4) interfaces.php. Se trata de una vulnerabilidad diferente de CVE-2008-1182 y CVE-2010-4246. • https://www.exploit-db.com/exploits/35071 https://www.exploit-db.com/exploits/35069 https://www.exploit-db.com/exploits/35068 https://www.exploit-db.com/exploits/35070 http://openwall.com/lists/oss-security/2010/11/22/18 http://openwall.com/lists/oss-security/2010/11/24/7 http://openwall.com/lists/oss-security/2010/12/06/7 http://seclists.org/fulldisclosure/2010/Nov/43 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •