CVSS: 8.8EPSS: 19%CPEs: 2EXPL: 2CVE-2017-1000479
https://notcve.org/view.php?id=CVE-2017-1000479
03 Jan 2018 — pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions. pfSense, en sus versiones 2.4.1... • http://www.openwall.com/lists/oss-security/2017/11/22/7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 7%CPEs: 1EXPL: 0CVE-2015-6508
https://notcve.org/view.php?id=CVE-2015-6508
18 Aug 2015 — Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the descr parameter in a "new" action to system_authservers.php. Vulnerabilidad de XSS en pfSense en versiones anteriores a 2.2.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro descr en una 'nueva' acción a system_authservers.php. • https://redmine.pfsense.org/issues/4698 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6509
https://notcve.org/view.php?id=CVE-2015-6509
18 Aug 2015 — Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) proxypass parameter to system_advanced_misc.php; (2) adaptiveend, (3) adaptivestart, (4) maximumstates, (5) maximumtableentries, or (6) aliasesresolveinterval parameter to system_advanced_firewall.php; (7) proxyurl, (8) proxyuser, or (9) proxyport parameter to system_advanced_misc.php; or (10) name, (11) notification_name, (12) ipaddress, (13) password, (14) s... • https://www.pfsense.org/security/advisories/pfSense-SA-15_06.webgui.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6510
https://notcve.org/view.php?id=CVE-2015-6510
18 Aug 2015 — Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) srctrack, (2) use_mfs_tmp_size, or (3) use_mfs_var_size parameter to system_advanced_misc.php; the (4) port, (5) snaplen, or (6) count parameter to diag_packet_capture.php; the (7) pppoe_resethour, (8) pppoe_resetminute, (9) wpa_group_rekey, or (10) wpa_gmk_rekey parameter to interfaces.php; the (11) pppoe_resethour or (12) pppoe_resetminute parameter to inter... • https://www.pfsense.org/security/advisories/pfSense-SA-15_06.webgui.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6511
https://notcve.org/view.php?id=CVE-2015-6511
18 Aug 2015 — Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the server[] parameter to services_ntpd.php. Vulnerabilidad de XSS en pfSense en versiones anteriores a 2.2.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro the server[] a services_ntpd.php. • https://www.pfsense.org/security/advisories/pfSense-SA-15_06.webgui.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 5%CPEs: 1EXPL: 2CVE-2015-4029
https://notcve.org/view.php?id=CVE-2015-4029
18 Aug 2015 — Cross-site scripting (XSS) vulnerability in the WebGUI in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the zone parameter in a del action to services_captiveportal_zones.php. Vulnerabilidad de XSS en el WebGUI en pfSense en versiones anteriores a 2.2.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro de zona en una acción del a services_captiveportal_zones.php. • http://seclists.org/fulldisclosure/2015/Jul/66 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 4CVE-2015-2294 – pfSense 2.2 Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-2294
25 Mar 2015 — Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable parameter to firewall_rules.php; (4) queue parameter in an add action to firewall_shaper.php; (5) id parameter in an edit action to services_unbound_acls.php; or (6) filterlogentries_time, (7) filterlogentries_sourceipaddress, (8) filterlogentries_sourceport, (9) filterlogentries... • https://packetstorm.news/files/id/131022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 51%CPEs: 1EXPL: 4CVE-2015-2295 – pfSense 2.2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-2295
25 Mar 2015 — Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter. Vulnerabilidad de CSRF en system_firmware_restorefullbackup.php en la GUI web en pfSense anterior a 2.2.1 permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que eliminan ficheros arbitrarios a través de... • https://packetstorm.news/files/id/131022 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 1%CPEs: 9EXPL: 0CVE-2015-1414 – Debian Security Advisory 3175-2
https://notcve.org/view.php?id=CVE-2015-1414
26 Feb 2015 — Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory. Desbordamiento de enteros en FreeBSD anterior a 8.4 p24, 9.x anterior a 9.3 p10. 10.0 anterior a p18, y 10.1 anterior a p6 permite a atacantes remotos causar una denegación de servicio (caída) a través de un paquete IGMP, lo que provoca un ... • http://www.debian.org/security/2015/dsa-3175 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4687
https://notcve.org/view.php?id=CVE-2014-4687
02 Jul 2014 — Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the starttime0 parameter to firewall_schedule.php, (2) the rssfeed parameter to rss.widget.php, (3) the servicestatusfilter parameter to services_status.widget.php, (4) the txtRecallBuffer parameter to exec.php, or (5) the HTTP Referer header to log.widget.php. Múltiples vulnerabilidades de XSS en pfSense anterior a 2.1.4 permiten a atacantes remotos inyectar secu... • https://pfsense.org/security/advisories/pfSense-SA-14_09.webgui.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •