Pfsense Security Vulnerabilities and Issues — Pfsense CVE List

Lucene search

NetgatePfsense

10 matches found

CVE•added 2019/05/29 7:29 p.m.•149 views

CVE-2019-12347

In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.

6.1CVSS5.9AI score0.75173EPSS

CVE•added 2019/09/26 6:15 p.m.•101 views

CVE-2019-16914

An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization.

6.1CVSS5.9AI score0.0094EPSS

CVE•added 2014/07/02 10:35 a.m.•69 views

CVE-2014-4688

pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php.

6.5CVSS7.2AI score0.01131EPSS

CVE•added 2019/06/25 11:15 a.m.•67 views

CVE-2019-12949

In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. Then, the remo...

6.1CVSS6.1AI score0.10406EPSS

CVE•added 2015/04/10 3:0 p.m.•63 views

CVE-2015-2295

Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter.

6.8CVSS7.1AI score0.37753EPSS

CVE•added 2022/12/15 7:15 p.m.•55 views

CVE-2020-21219

Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package.

6.1CVSS6.1AI score0.00235EPSS

CVE•added 2019/06/03 3:29 a.m.•53 views

CVE-2019-12584

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.

6.1CVSS6.2AI score0.03889EPSS

CVE•added 2014/07/02 10:35 a.m.•39 views

CVE-2014-4691

Session fixation vulnerability in pfSense before 2.1.4 allows remote attackers to hijack web sessions via a firewall login cookie.

6.8CVSS6.8AI score0.00115EPSS

CVE•added 2020/04/29 2:15 p.m.•35 views

CVE-2020-10797

An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.

6.1CVSS6.1AI score0.0143EPSS

CVE•added 2023/02/22 9:15 p.m.•27 views

CVE-2022-29273

pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.

6.1CVSS6AI score0.45069EPSS