CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39003
https://notcve.org/view.php?id=CVE-2023-39003
OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp. • http://opnsense.com https://logicaltrust.net/blog/2023/08/opnsense.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39004
https://notcve.org/view.php?id=CVE-2023-39004
Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation. • http://opnsense.com https://logicaltrust.net/blog/2023/08/opnsense.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-39005
https://notcve.org/view.php?id=CVE-2023-39005
Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2. • https://github.com/opnsense/core/issues/6647 https://logicaltrust.net/blog/2023/08/opnsense.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39007
https://notcve.org/view.php?id=CVE-2023-39007
/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php. • https://github.com/opnsense/core/commit/5edff49db1cd8b5078611e2f542d91c02af2b25c https://github.com/opnsense/core/compare/23.1.11...23.7 https://logicaltrust.net/blog/2023/08/opnsense.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2021-42770
https://notcve.org/view.php?id=CVE-2021-42770
A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester. Se ha detectado una vulnerabilidad de tipo Cross-site scripting (XSS) en OPNsense versiones anteriores a 21.7.4, por medio de la devolución de atributos LDAP en el comprobador de autenticación • https://cert.orange.com https://github.com/orangecertcc/security-research/security/advisories/GHSA-r32j-xgg3-w2rw https://opnsense.org/opnsense-21-7-4-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •