CVE-2015-2294

pfSense 2.2 Cross Site Request Forgery / Cross Site Scripting

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable parameter to firewall_rules.php; (4) queue parameter in an add action to firewall_shaper.php; (5) id parameter in an edit action to services_unbound_acls.php; or (6) filterlogentries_time, (7) filterlogentries_sourceipaddress, (8) filterlogentries_sourceport, (9) filterlogentries_destinationipaddress, (10) filterlogentries_interfaces, (11) filterlogentries_destinationport, (12) filterlogentries_protocolflags, or (13) filterlogentries_qty parameter to diag_logs_filter.php.

Múltiples vulnerabilidades de XSS en la GUI web en pfSense anterior a 2.2.1 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro zone en status_captiveportal.php; (2) del parámetro if o (3) dragtable en firewall_rules.php; (4) del parámetro queue en una acción de añadir en firewall_shaper.php; (5) del parámetro id en una acción de editar en services_unbound_acls.php; o (6) del parámetro filterlogentries_time, (7) filterlogentries_sourceipaddress, (8) filterlogentries_sourceport, (9) filterlogentries_destinationipaddress, (10) filterlogentries_interfaces, (11) filterlogentries_destinationport, (12) filterlogentries_protocolflags, o (13) filterlogentries_qty en diag_logs_filter.php.

pfSense version 2.2 suffers from cross site request forgery and cross site scripting vulnerabilities.

*Credits: N/A

CVSS Scores

NISTv2 4.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-03-14 CVE Reserved
2015-03-25 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2024-11-11 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (6)

URL	Tag	Source
http://www.securityfocus.com/archive/1/534987/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/73344	Vdb Entry

URL	Date	SRC
http://packetstormsecurity.com/files/131022/pfSense-2.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html	2024-08-06
https://www.exploit-db.com/exploits/36506	2024-08-06
https://www.htbridge.com/advisory/HTB23251	2024-08-06

URL	Date	SRC

URL	Date	SRC
https://www.pfsense.org/security/advisories/pfSense-SA-15_03.webgui.asc	2019-05-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netgate Search vendor "Netgate"		Pfsense Search vendor "Netgate" for product "Pfsense"				<= 2.2 Search vendor "Netgate" for product "Pfsense" and version " <= 2.2"		-		Affected