CVSS: 6.8EPSS: 80%CPEs: 1EXPL: 3CVE-2015-2295 – pfSense 2.2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-2295
Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter. Vulnerabilidad de CSRF en system_firmware_restorefullbackup.php en la GUI web en pfSense anterior a 2.2.1 permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que eliminan ficheros arbitrarios a través del parámetro deletefile. pfSense version 2.2 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/36506 http://packetstormsecurity.com/files/131022/pfSense-2.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/534987/100/0/threaded http://www.securityfocus.com/bid/73344 https://www.htbridge.com/advisory/HTB23251 https://www.pfsense.org/security/advisories/pfSense-SA-15_04.webgui.asc • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2014-4694
https://notcve.org/view.php?id=CVE-2014-4694
Multiple cross-site scripting (XSS) vulnerabilities in suricata_select_alias.php in the Suricata package before 1.0.6 for pfSense through 2.1.4 allow remote attackers to inject arbitrary web script or HTML via unspecified variables. Múltiples vulnerabilidades de XSS en suricata_select_alias.php en el paquete Suricata anterior a 1.0.6 para pfSense hasta 2.1.4 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de variables no especificadas. • https://pfsense.org/security/advisories/pfSense-SA-14_13.packages.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4691
https://notcve.org/view.php?id=CVE-2014-4691
Session fixation vulnerability in pfSense before 2.1.4 allows remote attackers to hijack web sessions via a firewall login cookie. Vulnerabilidad de fijación de sesión en pfSense anterior a 2.1.4 permite a atacantes remotos secuestrar sesiones web a través de una cookie de inicio de sesión firewall. • https://pfsense.org/security/advisories/pfSense-SA-14_12.webgui.asc •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4687
https://notcve.org/view.php?id=CVE-2014-4687
Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the starttime0 parameter to firewall_schedule.php, (2) the rssfeed parameter to rss.widget.php, (3) the servicestatusfilter parameter to services_status.widget.php, (4) the txtRecallBuffer parameter to exec.php, or (5) the HTTP Referer header to log.widget.php. Múltiples vulnerabilidades de XSS en pfSense anterior a 2.1.4 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) el parámetro starttime0 en firewall_schedule.php, (2) el parámetro rssfeed en rss.widget.php, (3) el parámetro servicestatusfilter en services_status.widget.php, (4) el parámetro txtRecallBuffer en exec.php, o (5) la cabecera HTTP Referer en log.widget.php. • https://pfsense.org/security/advisories/pfSense-SA-14_09.webgui.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4692
https://notcve.org/view.php?id=CVE-2014-4692
pfSense before 2.1.4, when HTTP is used, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. pfSense anterior a 2.1.4, cuando HTTP está utilizado, no incluye la etiqueta HTTPOnly en una cabecera Set-Cookie para la cookie de la sesión, lo que facilita a atacantes remotos obtener información potencialmente sensible a través de acceso de secuencias de comandos a esta cookie. • https://pfsense.org/security/advisories/pfSense-SA-14_12.webgui.asc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •