Vulnerabilities (CVE)

Filtered by vendor Opnsense Subscribe
Filtered by product Opnsense
Total 19 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-44276 1 Opnsense 1 Opnsense 2024-11-21 N/A 5.4 MEDIUM
OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.
CVE-2023-44275 1 Opnsense 1 Opnsense 2024-11-21 N/A 5.4 MEDIUM
OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard.
CVE-2023-39008 1 Opnsense 1 Opnsense 2024-11-21 N/A 9.8 CRITICAL
A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense before 23.7 allows attackers to execute arbitrary system commands.
CVE-2023-39007 1 Opnsense 1 Opnsense 2024-11-21 N/A 9.6 CRITICAL
/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.
CVE-2023-39006 1 Opnsense 1 Opnsense 2024-11-21 N/A 5.4 MEDIUM
The Crash Reporter (crash_reporter.php) component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 mishandles input sanitization.
CVE-2023-39005 1 Opnsense 1 Opnsense 2024-11-21 N/A 7.5 HIGH
Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2.
CVE-2023-39004 1 Opnsense 1 Opnsense 2024-11-21 N/A 9.8 CRITICAL
Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation.
CVE-2023-39003 1 Opnsense 1 Opnsense 2024-11-21 N/A 7.5 HIGH
OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.
CVE-2023-39002 1 Opnsense 1 Opnsense 2024-11-21 N/A 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2023-39001 1 Opnsense 1 Opnsense 2024-11-21 N/A 9.8 CRITICAL
A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.
CVE-2023-39000 1 Opnsense 1 Opnsense 2024-11-21 N/A 6.1 MEDIUM
A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path.
CVE-2023-38999 1 Opnsense 1 Opnsense 2024-11-21 N/A 6.5 MEDIUM
A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
CVE-2023-38998 1 Opnsense 1 Opnsense 2024-11-21 N/A 6.1 MEDIUM
An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.
CVE-2023-38997 1 Opnsense 1 Opnsense 2024-11-21 N/A 7.2 HIGH
A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive.
CVE-2023-27152 1 Opnsense 1 Opnsense 2024-11-21 N/A 9.8 CRITICAL
DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.
CVE-2021-42770 1 Opnsense 1 Opnsense 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester.
CVE-2020-23015 1 Opnsense 1 Opnsense 2024-11-21 5.8 MEDIUM 6.1 MEDIUM
An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.
CVE-2019-11816 2 Netgate, Opnsense 2 Pfsense, Opnsense 2024-11-21 6.5 MEDIUM 7.2 HIGH
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2018-18958 1 Opnsense 1 Opnsense 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.