Lucene search

GoogleOSV:CVE-2023-27253

HistoryMar 17, 2023 - 10:15 p.m.

CVE-2023-27253

2023-03-1722:15:11

Google

osv.dev

cve-2023-27253

command injection

netgate pfsense

authenticated attackers

arbitrary commands

xml file manipulation

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.481 Medium

EPSS

Percentile

97.5%

JSON

A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

CPENameOperatorVersion
pfsenseeqRoot_RELENG_1_2
pfsenseeqRELENG_2_2_BETA

CPE	Name	Operator	Version
	pfsense	eq	Root_RELENG_1_2
	pfsense	eq	RELENG_2_2_BETA

References

packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html

github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94

redmine.pfsense.org/issues/13935

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.481 Medium

EPSS

Percentile

97.5%

JSON

Related for OSV:CVE-2023-27253