CVSS: 9.3EPSS: 55%CPEs: 1EXPL: 3CVE-2024-46538 – pfSense 2.5.2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-46538
22 Oct 2024 — A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php. A cross site scripting vulnerability in pfsense version 2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php. • https://packetstorm.news/files/id/182333 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29975
https://notcve.org/view.php?id=CVE-2023-29975
09 Nov 2023 — An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification. Un problema descubierto en Pfsense CE versión 2.6.0 permite a los atacantes cambiar la contraseña de cualquier usuario sin verificación. • https://www.esecforte.com/cve-2023-29975-unverified-password-changed • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29974
https://notcve.org/view.php?id=CVE-2023-29974
08 Nov 2023 — An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements. Un problema descubierto en Pfsense CE versión 2.6.0 permite a los atacantes comprometer cuentas de usuario mediante requisitos de contraseña débiles. • https://www.esecforte.com/cve-2023-29974-weak-password-policy • CWE-521: Weak Password Requirements •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-29973
https://notcve.org/view.php?id=CVE-2023-29973
24 Oct 2023 — Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall. Pfsense CE versión 2.6.0 es vulnerable a No rate limit, lo que puede llevar a que un atacante cree múltiples usuarios maliciosos en el firewall. • https://www.esecforte.com/cve-2023-29973-no-rate-limit • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2020-19678
https://notcve.org/view.php?id=CVE-2020-19678
06 Apr 2023 — Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php. • http://www.2ngon.com/2015/01/lfi-vulnerability-suricata-146-pkg-v101.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 3%CPEs: 2EXPL: 4CVE-2023-27100 – pfsenseCE v2.6.0 - Anti-brute force protection bypass
https://notcve.org/view.php?id=CVE-2023-27100
22 Mar 2023 — Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests. pfsenseCE version 2.6.0 suffers from an anti-brute force protection bypass vulnerability. • https://packetstorm.news/files/id/171791 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 10.0EPSS: 87%CPEs: 1EXPL: 1CVE-2022-40624
https://notcve.org/view.php?id=CVE-2022-40624
20 Dec 2022 — pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814. pfSense pfBlockerNG hasta 2.1.4_27 permite a atacantes remotos ejecutar comandos arbitrarios del Sistema Operativo como root a través del encabezado HTTP Host, una vulnerabilidad diferente a CVE-2022-31814. • https://github.com/dhammon/pfBlockerNg-CVE-2022-40624 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-42247
https://notcve.org/view.php?id=CVE-2022-42247
03 Oct 2022 — pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name. Se ha detectado que pfSense versión v2.5.2, contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el componente browser.php. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en un no... • https://gist.github.com/enferas/b4ca7a4fb52e1b5e698f87e4d655a70a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20729
https://notcve.org/view.php?id=CVE-2021-20729
31 Mar 2022 — Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL. Una vulnerabilidad de tipo cross-site scripting en pfSense CE y pfSense Plus (software pfSense CE versiones 2.5.2 y anteriores, y software pfSense Plus versiones 21.05 y anteriores) permite a un atacante remoto inyectar un script arbitrario por medio de una URL malic... • https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21132
https://notcve.org/view.php?id=CVE-2022-21132
07 Mar 2022 — Directory traversal vulnerability in pfSense-pkg-WireGuard pfSense-pkg-WireGuard 0.1.5 versions prior to 0.1.5_4 and pfSense-pkg-WireGuard 0.1.6 versions prior to 0.1.6_1 allows a remote authenticated attacker to lead a pfSense user to view a file outside the public folder. Una vulnerabilidad salto de directorio en pfSense-pkg-WireGuard versiones 0.1.5 anteriores a 0.1.5_4 y pfSense-pkg-WireGuard versiones 0.1.6 anteriores a 0.1.6_1, permiten que un atacante remoto autenticado conlleve a un usuario de pfSen... • https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-WireGuard • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •