CVE-2022-24299
https://notcve.org/view.php?id=CVE-2022-24299
Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command. Una vulnerabilidad de comprobación de entrada inapropiada en pfSense CE y pfSense Plus (versiones de software de pfSense CE anteriores a 2.6.0 y versiones de software de pfSense Plus anteriores a 22.01) permite a un atacante remoto con el privilegio de cambiar la configuración del cliente o del servidor OpenVPN ejecutar un comando arbitrario • https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-20: Improper Input Validation •
CVE-2021-20729
https://notcve.org/view.php?id=CVE-2021-20729
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL. Una vulnerabilidad de tipo cross-site scripting en pfSense CE y pfSense Plus (software pfSense CE versiones 2.5.2 y anteriores, y software pfSense Plus versiones 21.05 y anteriores) permite a un atacante remoto inyectar un script arbitrario por medio de una URL maliciosa • https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-23993
https://notcve.org/view.php?id=CVE-2022-23993
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS. /usr/local/www/pkg.php en pfSense CE antes de 2.6.0 y pfSense Plus antes de 22.01 utiliza $_REQUEST['pkg_filter'] en una llamada de eco de PHP, lo que provoca XSS • https://docs.netgate.com/downloads/pfSense-SA-22_04.webgui.asc https://github.com/pfsense/pfsense/commit/5d82cce0d615a76b738798577a28a15803e59aeb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-19201
https://notcve.org/view.php?id=CVE-2020-19201
A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules. Se ha encontrado una vulnerabilidad de Cross-Site Scripting (XSS) almacenada en status_filter_reload.php, una página de la WebGUI del software pfSense, en la versión 2.4.4-p2 de Netgate pfSense y anteriores. La página no codificaba la salida del proceso de recarga del filtro, y era posible un XSS almacenado a través del parámetro descr (descripción) en las reglas NAT • https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-p3.html https://gist.github.com/dharmeshbaskaran/fd3779006361d07651a883e8a040d916 https://www.pfsense.org/download • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-19203
https://notcve.org/view.php?id=CVE-2020-19203
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS. Se ha encontrado una vulnerabilidad de Cross-Site Scripting (XSS) autentificada en widgets/widgets/wake_on_lan_widget.php, un componente de la WebGUI del software pfSense, en la versión 2.4.4-p2 y anteriores. El widget no codificaba el parámetro descr (descripción) de las entradas de wake-on-LAN en su salida, lo que conducía a un posible XSS almacenado • https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-p3.html https://gist.github.com/dharmeshbaskaran/55d546496bfb0ba28117e846d8b785db https://www.netgate.com/assets/downloads/advisories/pfSense-SA-19_04.webgui.asc https://www.pfsense.org/download • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •