CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2014-4688 – pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection
https://notcve.org/view.php?id=CVE-2014-4688
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php. pfSense anterior a 2.1.4 permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través del valor (1) hostname en diag_dns.php en una acción Crear Alias, (2) smartmonemail en diag_smart.php, o (3) database en status_rrd_graph_img.php. pfSense versions 2.1.3 and below suffer from a status_rrd_graph_img.php command injection vulnerability. • https://www.exploit-db.com/exploits/43560 https://github.com/andyfeili/CVE-2014-4688 https://pfsense.org/security/advisories/pfSense-SA-14_10.webgui.asc •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2011-5047
https://notcve.org/view.php?id=CVE-2011-5047
Cross-site scripting (XSS) vulnerability in status_rrd_graph.php in pfSense before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the style parameter. Ejecución de secuencias de comandos en sitios cruzados (XSS) en status_rrd_graph.php en pfSense antes de v2.0.1, permite a usuarios remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro style. • http://blog.pfsense.org/?p=633 http://secunia.com/advisories/46780 http://www.osvdb.org/77981 http://www.securityfocus.com/bid/51169 https://exchange.xforce.ibmcloud.com/vulnerabilities/72090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2011-4197
https://notcve.org/view.php?id=CVE-2011-4197
etc/inc/certs.inc in the PKI implementation in pfSense before 2.0.1 creates each X.509 certificate with a true value for the CA basic constraint, which allows remote attackers to create sub-certificates for arbitrary subjects by leveraging the private key. etc/inc/certs.inc en la implementación de PKI pfSense antes de v2.0.1, crea cada certificado X.509 con un valor verdadero para la restricción básica de CA, lo que permite a atacantes remotos crear sub-certificados para temas de su elección aprovechando la clave privada. • http://archives.neohapsis.com/archives/bugtraq/2011-12/0152.html http://secunia.com/advisories/46780 http://www.osvdb.org/77982 http://www.securityfocus.com/bid/51169 https://exchange.xforce.ibmcloud.com/vulnerabilities/71969 https://github.com/bsdperimeter/pfsense/commit/1379d66f11aaf72982a70287b83e24efcd18898e https://github.com/bsdperimeter/pfsense/commit/87b4deb2b2dae9013e6aa0fe490d6a5a04a27894 https://www.trustmatta.com/advisories/MATTA-2011-001.txt • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2008-1182
https://notcve.org/view.php?id=CVE-2008-1182
Cross-site scripting (XSS) vulnerability in BSD Perimeter pfSense before 1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en BSD Perimeter pfSense antes de 1.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores sin especificar. • http://blog.pfsense.org/?p=170 http://secunia.com/advisories/29126 http://www.securityfocus.com/bid/28072 https://exchange.xforce.ibmcloud.com/vulnerabilities/40967 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •