CVSS: 8.8EPSS: 50%CPEs: 1EXPL: 1CVE-2023-27253 – pfSense v2.7.0 - OS Command Injection
https://notcve.org/view.php?id=CVE-2023-27253
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml. • https://www.exploit-db.com/exploits/51608 http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94 https://redmine.pfsense.org/issues/13935 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29273
https://notcve.org/view.php?id=CVE-2022-29273
pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters. • https://docs.netgate.com/downloads/pfSense-SA-22_05.webgui.asc https://docs.netgate.com/pfsense/en/latest/releases/index.html#current-and-upcoming-supported-releases https://redmine.pfsense.org/issues/13060 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-21219
https://notcve.org/view.php?id=CVE-2020-21219
Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package. Vulnerabilidad de Cross Site Scripting (XSS) en Netgate pf Sense 2.4.4-Release-p3 y el paquete Netgate ACME 0.6.3 permite a atacantes remotos ejecutar código arbitrario a través del campo RootFolder en la página acme_certificate_edit.php del paquete ACME. • https://github.com/pfsense/FreeBSD-ports/commit/a6f443cde51e7fcf17e51f16014d3589253284d8 https://redmine.pfsense.org/issues/9888 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42247
https://notcve.org/view.php?id=CVE-2022-42247
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name. Se ha detectado que pfSense versión v2.5.2, contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el componente browser.php. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en un nombre de archivo • https://gist.github.com/enferas/b4ca7a4fb52e1b5e698f87e4d655a70a https://github.com/pfsense/pfsense/commit/73ca6743954ac9f35ca293e3f2af63eac20cf32e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-26019
https://notcve.org/view.php?id=CVE-2022-26019
Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution. Una vulnerabilidad de control de acceso inapropiado en pfSense CE y pfSense Plus (versiones de software de pfSense CE anteriores a 2.6.0 y versiones de software de pfSense Plus anteriores a 22.01) permite que un atacante remoto con el privilegio de cambiar la configuración del GPS NTP reescriba los archivos existentes en el sistema de archivos, lo que puede resultar en una ejecución de un comando arbitrario • https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc https://jvn.jp/en/jp/JVN87751554/index.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •