CVE-2020-26693
https://notcve.org/view.php?id=CVE-2020-26693
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function. Se ha detectado una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en pfSense versión 2.4.5-p1, que permite a un atacante autentificado ejecutar scripts web arbitrarios por medio de la explotación de la función load_balancer_monitor.php • https://github.com/pfsense/pfsense/commit/a220a22a8c05c10a7b875ac6b565f2c4fe7b251c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-27933
https://notcve.org/view.php?id=CVE-2021-27933
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field. pfSense versión 2.5.0, permite un ataque de tipo XSS por medio del campo Descripción services_wol_edit.php • http://seclists.org/fulldisclosure/2021/Apr/61 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-18667
https://notcve.org/view.php?id=CVE-2019-18667
/usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD allows a user with an XSS payload as password or username to execute arbitrary javascript code on a victim browser. El archivo /usr/local/www/freeradius_view_config.php en el paquete freeradius3 versiones anteriores a 0.15.7_3 para pfSense, en FreeBSD permite a un usuario con una carga útil XSS como contraseña o nombre de usuario ejecutar código javascript arbitrario en el navegador de la víctima. • https://github.com/pfsense/FreeBSD-ports/commit/30b22b6b0db7b73732a5da346afca66dc244e02a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-10709
https://notcve.org/view.php?id=CVE-2016-10709
pfSense before 2.3 allows remote authenticated users to execute arbitrary OS commands via a '|' character in the status_rrd_graph_img.php graph parameter, related to _rrd_graph_img.php. pfSense, en versiones anteriores a la 2.3, permite que usuarios autenticados remotos ejecuten comandos arbitrarios del sistema operativo mediante un carácter "|" en el parámetro de gráfica status_rrd_graph_img.php, relacionado con _rrd_graph_img.php. • https://www.exploit-db.com/exploits/39709 https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_graph_injection_exec https://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2014-4694
https://notcve.org/view.php?id=CVE-2014-4694
Multiple cross-site scripting (XSS) vulnerabilities in suricata_select_alias.php in the Suricata package before 1.0.6 for pfSense through 2.1.4 allow remote attackers to inject arbitrary web script or HTML via unspecified variables. Múltiples vulnerabilidades de XSS en suricata_select_alias.php en el paquete Suricata anterior a 1.0.6 para pfSense hasta 2.1.4 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de variables no especificadas. • https://pfsense.org/security/advisories/pfSense-SA-14_13.packages.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •