CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2020-21487
https://notcve.org/view.php?id=CVE-2020-21487
Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php. • https://github.com/pfsense/FreeBSD-ports/commit/a6f443cde51e7fcf17e51f16014d3589253284d8 https://redmine.pfsense.org/issues/9888 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 3CVE-2023-27100 – pfsenseCE v2.6.0 - Anti-brute force protection bypass
https://notcve.org/view.php?id=CVE-2023-27100
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests. pfsenseCE version 2.6.0 suffers from an anti-brute force protection bypass vulnerability. • https://www.exploit-db.com/exploits/51352 https://github.com/DarokNET/CVE-2023-27100 https://github.com/fabdotnet/CVE-2023-27100 http://packetstormsecurity.com/files/171791/pfsenseCE-2.6.0-Protection-Bypass.html https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc https://redmine.pfsense.org/issues/13574 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 8.8EPSS: 50%CPEs: 1EXPL: 2CVE-2023-27253 – pfSense Restore RRD Data Command Injection
https://notcve.org/view.php?id=CVE-2023-27253
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml. • https://www.exploit-db.com/exploits/51608 http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94 https://redmine.pfsense.org/issues/13935 https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/pfsense_config_data_exec.rb • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29273
https://notcve.org/view.php?id=CVE-2022-29273
pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters. • https://docs.netgate.com/downloads/pfSense-SA-22_05.webgui.asc https://docs.netgate.com/pfsense/en/latest/releases/index.html#current-and-upcoming-supported-releases https://redmine.pfsense.org/issues/13060 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-21219
https://notcve.org/view.php?id=CVE-2020-21219
Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package. Vulnerabilidad de Cross Site Scripting (XSS) en Netgate pf Sense 2.4.4-Release-p3 y el paquete Netgate ACME 0.6.3 permite a atacantes remotos ejecutar código arbitrario a través del campo RootFolder en la página acme_certificate_edit.php del paquete ACME. • https://github.com/pfsense/FreeBSD-ports/commit/a6f443cde51e7fcf17e51f16014d3589253284d8 https://redmine.pfsense.org/issues/9888 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •