Page 6 of 37 results (0.008 seconds)

CVSS: 6.8EPSS: 79%CPEs: 1EXPL: 3

Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter. Vulnerabilidad de CSRF en system_firmware_restorefullbackup.php en la GUI web en pfSense anterior a 2.2.1 permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que eliminan ficheros arbitrarios a través del parámetro deletefile. pfSense version 2.2 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/36506 http://packetstormsecurity.com/files/131022/pfSense-2.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/534987/100/0/threaded http://www.securityfocus.com/bid/73344 https://www.htbridge.com/advisory/HTB23251 https://www.pfsense.org/security/advisories/pfSense-SA-15_04.webgui.asc • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 86%CPEs: 1EXPL: 3

Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable parameter to firewall_rules.php; (4) queue parameter in an add action to firewall_shaper.php; (5) id parameter in an edit action to services_unbound_acls.php; or (6) filterlogentries_time, (7) filterlogentries_sourceipaddress, (8) filterlogentries_sourceport, (9) filterlogentries_destinationipaddress, (10) filterlogentries_interfaces, (11) filterlogentries_destinationport, (12) filterlogentries_protocolflags, or (13) filterlogentries_qty parameter to diag_logs_filter.php. Múltiples vulnerabilidades de XSS en la GUI web en pfSense anterior a 2.2.1 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro zone en status_captiveportal.php; (2) del parámetro if o (3) dragtable en firewall_rules.php; (4) del parámetro queue en una acción de añadir en firewall_shaper.php; (5) del parámetro id en una acción de editar en services_unbound_acls.php; o (6) del parámetro filterlogentries_time, (7) filterlogentries_sourceipaddress, (8) filterlogentries_sourceport, (9) filterlogentries_destinationipaddress, (10) filterlogentries_interfaces, (11) filterlogentries_destinationport, (12) filterlogentries_protocolflags, o (13) filterlogentries_qty en diag_logs_filter.php. pfSense version 2.2 suffers from cross site request forgery and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/131022/pfSense-2.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/534987/100/0/threaded http://www.securityfocus.com/bid/73344 https://www.exploit-db.com/exploits/36506 https://www.htbridge.com/advisory/HTB23251 https://www.pfsense.org/security/advisories/pfSense-SA-15_03.webgui.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the starttime0 parameter to firewall_schedule.php, (2) the rssfeed parameter to rss.widget.php, (3) the servicestatusfilter parameter to services_status.widget.php, (4) the txtRecallBuffer parameter to exec.php, or (5) the HTTP Referer header to log.widget.php. Múltiples vulnerabilidades de XSS en pfSense anterior a 2.1.4 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) el parámetro starttime0 en firewall_schedule.php, (2) el parámetro rssfeed en rss.widget.php, (3) el parámetro servicestatusfilter en services_status.widget.php, (4) el parámetro txtRecallBuffer en exec.php, o (5) la cabecera HTTP Referer en log.widget.php. • https://pfsense.org/security/advisories/pfSense-SA-14_09.webgui.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in suricata_select_alias.php in the Suricata package before 1.0.6 for pfSense through 2.1.4 allow remote attackers to inject arbitrary web script or HTML via unspecified variables. Múltiples vulnerabilidades de XSS en suricata_select_alias.php en el paquete Suricata anterior a 1.0.6 para pfSense hasta 2.1.4 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de variables no especificadas. • https://pfsense.org/security/advisories/pfSense-SA-14_13.packages.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

Absolute path traversal vulnerability in pkg_edit.php in pfSense before 2.1.4 allows remote attackers to read arbitrary XML files via a full pathname in the xml parameter. Vulnerabilidad de recorrido de directorio absoluto en pkg_edit.php en pfSense anterior a 2.1.4 permite a atacantes remotos leer ficheros XML arbitrarios a través de un nombre completo de ruta en el parámetro xml. • https://pfsense.org/security/advisories/pfSense-SA-14_11.webgui.asc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •