Pfsense Security Vulnerabilities and Issues — Pfsense CVE List

Lucene search

NetgatePfsense

10 matches found

CVE•added 2020/04/01 4:15 p.m.•47 views

CVE-2020-11457

pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user.

5.4CVSS5.2AI score0.02457EPSS

CVE•added 2023/11/14 4:15 a.m.•41 views

CVE-2023-42325

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.

5.4CVSS5.9AI score0.48312EPSS

CVE•added 2021/07/12 4:15 p.m.•38 views

CVE-2020-19201

A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) p...

5.4CVSS5.1AI score0.00795EPSS

CVE•added 2021/07/12 4:15 p.m.•36 views

CVE-2020-19203

An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a ...

5.4CVSS5.1AI score0.012EPSS

CVE•added 2014/07/02 10:35 a.m.•34 views

CVE-2014-4695

Multiple open redirect vulnerabilities in the Snort package before 3.0.13 for pfSense through 2.1.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via (1) the referer parameter to snort_rules_flowbits.php or (2) the returl parameter to snort_select_alia...

5.8CVSS7.1AI score0.00047EPSS

CVE•added 2014/07/02 10:35 a.m.•32 views

CVE-2014-4689

Absolute path traversal vulnerability in pkg_edit.php in pfSense before 2.1.4 allows remote attackers to read arbitrary XML files via a full pathname in the xml parameter.

5CVSS6.8AI score0.0008EPSS

CVE•added 2014/07/02 10:35 a.m.•31 views

CVE-2014-4690

Multiple directory traversal vulnerabilities in pfSense before 2.1.4 allow (1) remote attackers to read arbitrary .info files via a crafted path in the pkg parameter to pkg_mgr_install.php and allow (2) remote authenticated users to read arbitrary files via the downloadbackup parameter to system_fi...

5CVSS6.6AI score0.00252EPSS

CVE•added 2014/07/02 10:35 a.m.•29 views

CVE-2014-4696

Multiple open redirect vulnerabilities in the Suricata package before 1.0.6 for pfSense through 2.1.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via (1) the referer parameter to suricata_rules_flowbits.php or (2) the returl parameter to suricata_sel...

5.8CVSS7.1AI score0.00047EPSS

CVE•added 2023/11/14 4:15 a.m.•26 views

CVE-2023-42327

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

5.4CVSS5.9AI score0.48312EPSS

CVE•added 2025/06/28 11:15 p.m.•8 views

CVE-2025-53392

In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through...

5CVSS7.4AI score0.00047EPSS