CVE-2020-21219
https://notcve.org/view.php?id=CVE-2020-21219
Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package. Vulnerabilidad de Cross Site Scripting (XSS) en Netgate pf Sense 2.4.4-Release-p3 y el paquete Netgate ACME 0.6.3 permite a atacantes remotos ejecutar código arbitrario a través del campo RootFolder en la página acme_certificate_edit.php del paquete ACME. • https://github.com/pfsense/FreeBSD-ports/commit/a6f443cde51e7fcf17e51f16014d3589253284d8 https://redmine.pfsense.org/issues/9888 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-42247
https://notcve.org/view.php?id=CVE-2022-42247
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name. Se ha detectado que pfSense versión v2.5.2, contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el componente browser.php. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en un nombre de archivo • https://gist.github.com/enferas/b4ca7a4fb52e1b5e698f87e4d655a70a https://github.com/pfsense/pfsense/commit/73ca6743954ac9f35ca293e3f2af63eac20cf32e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-26019
https://notcve.org/view.php?id=CVE-2022-26019
Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution. Una vulnerabilidad de control de acceso inapropiado en pfSense CE y pfSense Plus (versiones de software de pfSense CE anteriores a 2.6.0 y versiones de software de pfSense Plus anteriores a 22.01) permite que un atacante remoto con el privilegio de cambiar la configuración del GPS NTP reescriba los archivos existentes en el sistema de archivos, lo que puede resultar en una ejecución de un comando arbitrario • https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-24299
https://notcve.org/view.php?id=CVE-2022-24299
Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command. Una vulnerabilidad de comprobación de entrada inapropiada en pfSense CE y pfSense Plus (versiones de software de pfSense CE anteriores a 2.6.0 y versiones de software de pfSense Plus anteriores a 22.01) permite a un atacante remoto con el privilegio de cambiar la configuración del cliente o del servidor OpenVPN ejecutar un comando arbitrario • https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-20: Improper Input Validation •
CVE-2021-20729
https://notcve.org/view.php?id=CVE-2021-20729
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL. Una vulnerabilidad de tipo cross-site scripting en pfSense CE y pfSense Plus (software pfSense CE versiones 2.5.2 y anteriores, y software pfSense Plus versiones 21.05 y anteriores) permite a un atacante remoto inyectar un script arbitrario por medio de una URL maliciosa • https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •