878 matches found
CVE-2015-6509
pfSense exposes multiple reflected XSS vulnerabilities (CVE-2015-6509) in the web GUI prior to version 2.2.3. The flaws allow remote attackers to inject arbitrary web script/HTML through numerous parameters across system_advanced_misc.php, system_advanced_firewall.php, and system_advanced_notific...
CVE-2015-6511
Cross-site scripting XSS vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the server parameter to servicesntpd.php...
CVE-2015-4029
pfSense WebGUI CVE-2015-4029 is an XSS in the captive portal zones management page. The flaw arises in services_captiveportal_zones.php when the zone parameter is used during a del action, enabling remote attackers to inject script/HTML into a victim’s browser. Affected releases are pfSense prior...
CVE-2015-6508
CVE-2015-6508 is an XSS vulnerability in pfSense prior to 2.2.3. It allows remote attackers to inject arbitrary script/HTML via the descr parameter in the new action of system_authservers.php. Multiple connected sources (NVD, Red Hat, CNVD, Nessus/PfSense advisories) corroborate this entry. Affec...
Electric Sheep Fencing Pfsense 'zone' Parameter Cross-Site Scripting Vulnerability
Electric Sheep Fencing pfsense is a free and open source FreeBSD-based firewall and router software from Electric Sheep Fencing. A cross-site scripting vulnerability exists in Electric Sheep Fencing Pfsense that stems from the program's failure to adequately filter user-submitted input. When a us...
PFSense 2.2.2 Cross Site Scripting
I. VULNERABILITY ------------------------- Reflected XSS Attacks vulnerabilities in PFSense Version 2.2.2 II. BACKGROUND ------------------------- The pfSense project is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free...
Arbitrary file deletion and multiple XSS vulnerabilities in pfSense
Advisory ID: HTB23251 Product: pfSense Vendor: Electric Sheep Fencing LLC Vulnerable Versions: 2.2 and probably prior Tested Version: 2.2 Advisory Publication: March 4, 2015 without technical details Vendor Notification: March 4, 2015 Vendor Patch: March 5, 2015 Public Disclosure: March 25, 2015...
ESF pfSense webgui deletefile Directory Traversal (CVE-2015-2295)
A directory traversal vulnerability has been reported in Electric Sheep Fencing pfSense firewall. This vulnerability is due to insufficient validation of the deletefile HTTP request parameter in "/systemfirmwarerestorefullbackup.php". By convincing an authenticated user to click on a crafted link...
ESF pfSense status_captiveportal Cross Site Scripting (CVE-2015-2294)
A cross-site scripting vulnerability has been reported in Electric Sheep Fencing pfSense firewall. The vulnerability is due to insufficient validation of the zone variable in the statuscaptiveportal page. A remote attacker can exploit the XSS vulnerability to execute arbitrary scripts in the user...
CVE-2015-2295
Cross-site request forgery CSRF vulnerability in systemfirmwarerestorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter...
Cross site request forgery (csrf)
Cross-site request forgery CSRF vulnerability in systemfirmwarerestorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter...
CVE-2015-2295
PfSense WebGUI (pfSense before 2.2.1) is affected by CVE-2015-2295 due to CSRF in system_firmware_restorefullbackup.php, enabling an attacker to hijack admin authentication and issue deletefile requests that can remove arbitrary files with root privileges. Several connected advisories corroborate...
CVE-2015-2295
Cross-site request forgery CSRF vulnerability in systemfirmwarerestorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter...
CVE-2015-2294
Multiple cross-site scripting XSS vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the 1 zone parameter to statuscaptiveportal.php; 2 if or 3 dragtable parameter to firewallrules.php; 4 queue parameter in an add action to...
Cross site scripting
Multiple cross-site scripting XSS vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the 1 zone parameter to statuscaptiveportal.php; 2 if or 3 dragtable parameter to firewallrules.php; 4 queue parameter in an add action to...
CVE-2015-2294
Multiple cross-site scripting XSS vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the 1 zone parameter to statuscaptiveportal.php; 2 if or 3 dragtable parameter to firewallrules.php; 4 queue parameter in an add action to...
CVE-2015-2294
pfSense before 2.2.1 is affected by multiple WebGUI XSS vulnerabilities (CVE-2015-2294) and a CSRF issue (CVE-2015-2295). The root cause is insufficient validation/sanitization of user-supplied input across many parameters (zone, if/dragtable, queue, id, and various filterlogentries_*; plus syste...
KLA10528 Code injection vulnerability in pfsense
Cross-site scripting vulnerabilities were found in pfSense. By exploiting these vulnerabilities malicious users can enject arbitrary sctip or HTML. These vulnerabilities can be exploited remotely via a specially designed parameters for web interface. Original advisories pfSense advisory...
pfSense 2.2 - Multiple Vulnerabilities
Exploit for php platform in category web applications Product: pfSense Vendor: Electric Sheep Fencing LLC Vulnerable Versions: 2.2 and probably prior Tested Version: 2.2 Advisory Publication: March 4, 2015 without technical details Vendor Notification: March 4, 2015 Vendor Patch: March 5, 2015...
pfSense 2.2 - Multiple Vulnerabilities
pfSense 2.2 - Multiple Vulnerabilities Advisory ID: HTB23251 Product: pfSense Vendor: Electric Sheep Fencing LLC Vulnerable Versions: 2.2 and probably prior Tested Version: 2.2 Advisory Publication: March 4, 2015 without technical details Vendor Notification: March 4, 2015 Vendor Patch: March 5,...