Pfsense Security Vulnerabilities and Issues — Pfsense CVE List

Lucene search

NetgatePfsense

4 matches found

CVE•added 2019/09/26 7:15 p.m.•130 views

CVE-2019-16667

diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing.

8.8CVSS8.6AI score0.53724EPSS

Web

CVE•added 2019/09/26 6:15 p.m.•120 views

CVE-2019-16915

An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.

9.8CVSS9.3AI score0.02433EPSS

Web

CVE•added 2019/09/26 6:15 p.m.•102 views

CVE-2019-16914

An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization.

6.1CVSS5.9AI score0.01636EPSS

CVE•added 2019/09/25 4:15 p.m.•64 views

CVE-2019-16701

pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.

9CVSS8.9AI score0.18731EPSS

Web