CVE-2019-16915

An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.
References
Link Resource
https://github.com/pfsense/pfsense/commit/2c544ac61ce98f716d50b8e5961d7dfba66804b5 Patch Third Party Advisory
https://redmine.pfsense.org/issues/9610 Permissions Required Third Party Advisory
https://www.seebug.org/vuldb/ssvid-98024 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:netgate:pfsense:*:*:*:*:*:*:*:*
cpe:2.3:a:netgate:pfsense:2.4.4:-:*:*:*:*:*:*
cpe:2.3:a:netgate:pfsense:2.4.4:p1:*:*:*:*:*:*
cpe:2.3:a:netgate:pfsense:2.4.4:p2:*:*:*:*:*:*
cpe:2.3:a:netgate:pfsense:2.4.4:p3:*:*:*:*:*:*

History

No history.

Information

Published : 2019-09-26 18:15

Updated : 2024-02-04 20:39


NVD link : CVE-2019-16915

Mitre link : CVE-2019-16915

CVE.ORG link : CVE-2019-16915


JSON object : View

Products Affected

netgate

  • pfsense
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')