Page 2 of 27 results (0.003 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution. Una vulnerabilidad de control de acceso inapropiado en pfSense CE y pfSense Plus (versiones de software de pfSense CE anteriores a 2.6.0 y versiones de software de pfSense Plus anteriores a 22.01) permite que un atacante remoto con el privilegio de cambiar la configuración del GPS NTP reescriba los archivos existentes en el sistema de archivos, lo que puede resultar en una ejecución de un comando arbitrario • https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command. Una vulnerabilidad de comprobación de entrada inapropiada en pfSense CE y pfSense Plus (versiones de software de pfSense CE anteriores a 2.6.0 y versiones de software de pfSense Plus anteriores a 22.01) permite a un atacante remoto con el privilegio de cambiar la configuración del cliente o del servidor OpenVPN ejecutar un comando arbitrario • https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-20: Improper Input Validation •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL. Una vulnerabilidad de tipo cross-site scripting en pfSense CE y pfSense Plus (software pfSense CE versiones 2.5.2 y anteriores, y software pfSense Plus versiones 21.05 y anteriores) permite a un atacante remoto inyectar un script arbitrario por medio de una URL maliciosa • https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS. /usr/local/www/pkg.php en pfSense CE antes de 2.6.0 y pfSense Plus antes de 22.01 utiliza $_REQUEST['pkg_filter'] en una llamada de eco de PHP, lo que provoca XSS • https://docs.netgate.com/downloads/pfSense-SA-22_04.webgui.asc https://github.com/pfsense/pfsense/commit/5d82cce0d615a76b738798577a28a15803e59aeb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1

A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules. Se ha encontrado una vulnerabilidad de Cross-Site Scripting (XSS) almacenada en status_filter_reload.php, una página de la WebGUI del software pfSense, en la versión 2.4.4-p2 de Netgate pfSense y anteriores. La página no codificaba la salida del proceso de recarga del filtro, y era posible un XSS almacenado a través del parámetro descr (descripción) en las reglas NAT • https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-p3.html https://gist.github.com/dharmeshbaskaran/fd3779006361d07651a883e8a040d916 https://www.pfsense.org/download • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •