ID CVE-2010-4412 Type cve Reporter cve@mitre.org Modified 2010-12-10T14:08:00
Description
Multiple cross-site scripting (XSS) vulnerabilities in pfSense 2 beta 4 allow remote attackers to inject arbitrary web script or HTML via (1) the id parameter in an olsrd.xml action to pkg_edit.php, (2) the xml parameter to pkg.php, or the if parameter to (3) status_graph.php or (4) interfaces.php, a different vulnerability than CVE-2008-1182 and CVE-2010-4246.
{"id": "CVE-2010-4412", "bulletinFamily": "NVD", "title": "CVE-2010-4412", "description": "Multiple cross-site scripting (XSS) vulnerabilities in pfSense 2 beta 4 allow remote attackers to inject arbitrary web script or HTML via (1) the id parameter in an olsrd.xml action to pkg_edit.php, (2) the xml parameter to pkg.php, or the if parameter to (3) status_graph.php or (4) interfaces.php, a different vulnerability than CVE-2008-1182 and CVE-2010-4246.", "published": "2010-12-07T13:53:00", "modified": "2010-12-10T14:08:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4412", "reporter": "cve@mitre.org", "references": ["http://seclists.org/fulldisclosure/2010/Nov/43", "http://openwall.com/lists/oss-security/2010/11/24/7", "http://openwall.com/lists/oss-security/2010/12/06/7", "http://openwall.com/lists/oss-security/2010/11/22/18"], "cvelist": ["CVE-2010-4412"], "type": "cve", "lastseen": "2020-10-03T11:57:31", "edition": 3, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:35070", "EDB-ID:35068", "EDB-ID:35069", "EDB-ID:35071"]}], "modified": "2020-10-03T11:57:31", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2020-10-03T11:57:31", "rev": 2}, "vulnersScore": 4.5}, "cpe": ["cpe:/a:bsdperimeter:pfsense:2.0"], "affectedSoftware": [{"cpeName": "bsdperimeter:pfsense", "name": "bsdperimeter pfsense", "operator": "eq", "version": "2.0"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:bsdperimeter:pfsense:2.0:beta4:*:*:*:*:*:*"], "cwe": ["CWE-79"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:bsdperimeter:pfsense:2.0:beta4:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"exploitdb": [{"lastseen": "2016-02-04T00:32:20", "description": "pfSense pkg_edit.php id Parameter XSS. CVE-2010-4412. Remote exploit for hardware platform", "published": "2010-11-08T00:00:00", "type": "exploitdb", "title": "pfSense pkg_edit.php id Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4412"], "modified": "2010-11-08T00:00:00", "id": "EDB-ID:35068", "href": "https://www.exploit-db.com/exploits/35068/", "sourceData": "source: http://www.securityfocus.com/bid/45272/info\r\n\r\npfSense is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.\r\n\r\nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.\r\n\r\npfSense 2 Beta 4 is vulnerable; other versions may also be affected. \r\n\r\nhttps://www.example.com/pkg_edit.php?xml=olsrd.xml&id=%22/%3E%3Cscript%3Ealert%282%29;%3C/script%3E", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/35068/"}, {"lastseen": "2016-02-04T00:32:29", "description": "pfSense pkg.php xml Parameter XSS. CVE-2010-4412. Remote exploit for hardware platform", "published": "2010-11-08T00:00:00", "type": "exploitdb", "title": "pfSense pkg.php xml Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4412"], "modified": "2010-11-08T00:00:00", "id": "EDB-ID:35069", "href": "https://www.exploit-db.com/exploits/35069/", "sourceData": "source: http://www.securityfocus.com/bid/45272/info\r\n \r\npfSense is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.\r\n \r\nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.\r\n \r\npfSense 2 Beta 4 is vulnerable; other versions may also be affected. \r\n\r\nhttps://www.example.com/pkg.php?xml=jailctl.xm%27l%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/35069/"}, {"lastseen": "2016-02-04T00:32:38", "description": "pfSense status_graph.php if Parameter XSS. CVE-2010-4412. Remote exploit for hardware platform", "published": "2010-11-08T00:00:00", "type": "exploitdb", "title": "pfSense status_graph.php if Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4412"], "modified": "2010-11-08T00:00:00", "id": "EDB-ID:35070", "href": "https://www.exploit-db.com/exploits/35070/", "sourceData": "source: http://www.securityfocus.com/bid/45272/info\r\n \r\npfSense is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.\r\n \r\nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.\r\n \r\npfSense 2 Beta 4 is vulnerable; other versions may also be affected. \r\n\r\nhttps://www.example.com/status_graph.php?if=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/35070/"}, {"lastseen": "2016-02-04T00:32:47", "description": "pfSense interfaces.php if Parameter XSS. CVE-2010-4412. Remote exploit for hardware platform", "published": "2010-11-08T00:00:00", "type": "exploitdb", "title": "pfSense interfaces.php if Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4412"], "modified": "2010-11-08T00:00:00", "id": "EDB-ID:35071", "href": "https://www.exploit-db.com/exploits/35071/", "sourceData": "source: http://www.securityfocus.com/bid/45272/info\r\n \r\npfSense is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.\r\n \r\nAn attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.\r\n \r\npfSense 2 Beta 4 is vulnerable; other versions may also be affected. \r\n\r\nhttps://www.example.com/interfaces.php?if=wan%22%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/35071/"}]}
