CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2022-40624
https://notcve.org/view.php?id=CVE-2022-40624
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814. pfSense pfBlockerNG hasta 2.1.4_27 permite a atacantes remotos ejecutar comandos arbitrarios del Sistema Operativo como root a través del encabezado HTTP Host, una vulnerabilidad diferente a CVE-2022-31814. • https://github.com/dhammon/pfBlockerNg-CVE-2022-40624 https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html https://github.com/dhammon/pfBlockerNg-RCE • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42247
https://notcve.org/view.php?id=CVE-2022-42247
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name. Se ha detectado que pfSense versión v2.5.2, contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el componente browser.php. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en un nombre de archivo • https://gist.github.com/enferas/b4ca7a4fb52e1b5e698f87e4d655a70a https://github.com/pfsense/pfsense/commit/73ca6743954ac9f35ca293e3f2af63eac20cf32e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20729
https://notcve.org/view.php?id=CVE-2021-20729
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL. Una vulnerabilidad de tipo cross-site scripting en pfSense CE y pfSense Plus (software pfSense CE versiones 2.5.2 y anteriores, y software pfSense Plus versiones 21.05 y anteriores) permite a un atacante remoto inyectar un script arbitrario por medio de una URL maliciosa • https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21132
https://notcve.org/view.php?id=CVE-2022-21132
Directory traversal vulnerability in pfSense-pkg-WireGuard pfSense-pkg-WireGuard 0.1.5 versions prior to 0.1.5_4 and pfSense-pkg-WireGuard 0.1.6 versions prior to 0.1.6_1 allows a remote authenticated attacker to lead a pfSense user to view a file outside the public folder. Una vulnerabilidad salto de directorio en pfSense-pkg-WireGuard versiones 0.1.5 anteriores a 0.1.5_4 y pfSense-pkg-WireGuard versiones 0.1.6 anteriores a 0.1.6_1, permiten que un atacante remoto autenticado conlleve a un usuario de pfSense a visualizar un archivo fuera de la carpeta pública • https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-WireGuard https://jvn.jp/en/jp/JVN85572374/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 97%CPEs: 1EXPL: 2CVE-2021-41282 – pfSense 2.5.2 Shell Upload
https://notcve.org/view.php?id=CVE-2021-41282
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location. El archivo diag_routes.php en pfSense versión 2.5.2, permite una inyección de datos sed. • http://packetstormsecurity.com/files/166208/pfSense-2.5.2-Shell-Upload.html https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html https://www.shielder.it/advisories https://www.shielder.it/advisories/pfsense-remote-command-execution • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •