CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42247
https://notcve.org/view.php?id=CVE-2022-42247
03 Oct 2022 — pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name. Se ha detectado que pfSense versión v2.5.2, contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el componente browser.php. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en un no... • https://gist.github.com/enferas/b4ca7a4fb52e1b5e698f87e4d655a70a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-26019
https://notcve.org/view.php?id=CVE-2022-26019
31 Mar 2022 — Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution. Una vulnerabilidad de control de acceso inapropiado en pfSense CE y pfSense Plus (versiones de software de pfSense CE anteriores a 2.6.0 y versiones de software de pfSense Plus ante... • https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24299
https://notcve.org/view.php?id=CVE-2022-24299
31 Mar 2022 — Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command. Una vulnerabilidad de comprobación de entrada inapropiada en pfSense CE y pfSense Plus (versiones de software de pfSense CE anteriores a 2.6.0 y versiones de software de pfSense Plus anteriores a 22.01) permite a un atacante... • https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20729
https://notcve.org/view.php?id=CVE-2021-20729
31 Mar 2022 — Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL. Una vulnerabilidad de tipo cross-site scripting en pfSense CE y pfSense Plus (software pfSense CE versiones 2.5.2 y anteriores, y software pfSense Plus versiones 21.05 y anteriores) permite a un atacante remoto inyectar un script arbitrario por medio de una URL malic... • https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 91%CPEs: 1EXPL: 3CVE-2021-41282 – pfSense 2.5.2 Shell Upload
https://notcve.org/view.php?id=CVE-2021-41282
01 Mar 2022 — diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location. El... • https://packetstorm.news/files/id/166208 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23993
https://notcve.org/view.php?id=CVE-2022-23993
26 Jan 2022 — /usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS. /usr/local/www/pkg.php en pfSense CE antes de 2.6.0 y pfSense Plus antes de 22.01 utiliza $_REQUEST['pkg_filter'] en una llamada de eco de PHP, lo que provoca XSS • https://docs.netgate.com/downloads/pfSense-SA-22_04.webgui.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 1%CPEs: 3EXPL: 1CVE-2020-19201
https://notcve.org/view.php?id=CVE-2020-19201
12 Jul 2021 — A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules. Se ha encontrado una vulnerabilidad de Cross-Site Scripting (XSS) almacenada en status_filter_reload.php, una página de la WebGUI del software pfSense, en la versión 2.4.4-p2 de Netgate pfSe... • https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-p3.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 1%CPEs: 4EXPL: 0CVE-2020-19203
https://notcve.org/view.php?id=CVE-2020-19203
12 Jul 2021 — An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS. Se ha encontrado una vulnerabilidad de Cross-Site Scripting (XSS) autentificada en widgets/widgets/wake_on_lan_widget.php, un componente de la WebGUI del software pfSense, en la versión 2.4.4-... • https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-p3.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26693
https://notcve.org/view.php?id=CVE-2020-26693
01 Jun 2021 — A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function. Se ha detectado una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en pfSense versión 2.4.5-p1, que permite a un atacante autentificado ejecutar scripts web arbitrarios por medio de la explotación de la función load_balancer_monitor.php • https://github.com/pfsense/pfsense/commit/a220a22a8c05c10a7b875ac6b565f2c4fe7b251c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2021-27933
https://notcve.org/view.php?id=CVE-2021-27933
28 Apr 2021 — pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field. pfSense versión 2.5.0, permite un ataque de tipo XSS por medio del campo Descripción services_wol_edit.php • http://seclists.org/fulldisclosure/2021/Apr/61 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •