CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-48123
https://notcve.org/view.php?id=CVE-2023-48123
An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file. Un problema en Netgate pfSense Plus v.23.05.1 y anteriores y pfSense CE v.2.7.0 permite a un atacante remoto ejecutar código arbitrario a través de una solicitud manipulada al archivo packet_capture.php. • https://github.com/NHPT/CVE-2023-48123 https://docs.netgate.com/downloads/pfSense-SA-23_11.webgui.asc https://github.com/pfsense/pfsense/commit/f72618c4abb61ea6346938d0c93df9078736b775 https://redmine.pfsense.org/issues/14809 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42327
https://notcve.org/view.php?id=CVE-2023-42327
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page. La vulnerabilidad de Cross Site Scripting (XSS) en Netgate pfSense v.2.7.0 permite a un atacante remoto obtener privilegios a través de una URL manipulada para la página getserviceproviders.php. • https://docs.netgate.com/downloads/pfSense-SA-23_08.webgui.asc https://www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42325
https://notcve.org/view.php?id=CVE-2023-42325
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page. La vulnerabilidad de Cross Site Scripting (XSS) en Netgate pfSense v.2.7.0 permite a un atacante remoto obtener privilegios a través de una URL manipulada para la página status_logs_filter_dynamic.php. • https://docs.netgate.com/downloads/pfSense-SA-23_09.webgui.asc https://www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-42326
https://notcve.org/view.php?id=CVE-2023-42326
An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components. Un problema en Netgate pfSense v.2.7.0 permite a un atacante remoto ejecutar código arbitrario a través de una solicitud manipulada a los componentes interfaces_gif_edit.php e interfaces_gre_edit.php. • https://docs.netgate.com/downloads/pfSense-SA-23_10.webgui.asc https://www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 50%CPEs: 1EXPL: 2CVE-2023-27253 – pfSense Restore RRD Data Command Injection
https://notcve.org/view.php?id=CVE-2023-27253
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml. • https://www.exploit-db.com/exploits/51608 http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94 https://redmine.pfsense.org/issues/13935 https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/pfsense_config_data_exec.rb • CWE-91: XML Injection (aka Blind XPath Injection) •