Lucene search

[email protected]CVE-2020-11457

HistoryApr 01, 2020 - 4:15 p.m.

CVE-2020-11457

2020-04-0116:15:27

CWE-79

[email protected]

web.nvd.nist.gov

pfsense

cve-2020-11457

stored xss

system_usermanager_addprivs.php

webgui

security vulnerability

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

69.0%

JSON

pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user.

Affected configurations

NVD

Node

netgatepfsenseRange<2.4.5

CPENameOperatorVersion
netgate:pfsensenetgate pfsenselt2.4.5

CPE	Name	Operator	Version
netgate:pfsense	netgate pfsense	lt	2.4.5

References

packetstormsecurity.com/files/157104/pfSense-2.4.4-P3-User-Manager-Cross-Site-Scripting.html

github.com/pfsense/pfsense/commit/3c1e53dabe966f27c9097a5a923e77f49ae5fffa

www.exploit-db.com/exploits/48300

www.netgate.com/assets/downloads/advisories/pfSense-SA-20_06.webgui.asc

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

69.0%

JSON

Related for CVE-2020-11457

cvelist1 prion1 osv1 nvd1 packetstorm1 exploitdb1