Total
11 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2011-5047 | 1 Pfsense | 1 Pfsense | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in status_rrd_graph.php in pfSense before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the style parameter. | |||||
CVE-2011-4197 | 1 Pfsense | 1 Pfsense | 2024-11-21 | 7.5 HIGH | N/A |
etc/inc/certs.inc in the PKI implementation in pfSense before 2.0.1 creates each X.509 certificate with a true value for the CA basic constraint, which allows remote attackers to create sub-certificates for arbitrary subjects by leveraging the private key. | |||||
CVE-2023-29974 | 1 Pfsense | 1 Pfsense | 2024-09-04 | N/A | 9.8 CRITICAL |
An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements. | |||||
CVE-2020-19678 | 2 Oisf, Pfsense | 3 Suricata, Pfsense, Suricata Package | 2024-02-04 | N/A | 7.5 HIGH |
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php. | |||||
CVE-2023-27100 | 2 Netgate, Pfsense | 2 Pfsense Plus, Pfsense | 2024-02-04 | N/A | 9.8 CRITICAL |
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests. | |||||
CVE-2021-20729 | 2 Netgate, Pfsense | 2 Pfsense Plus, Pfsense | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL. | |||||
CVE-2021-41282 | 1 Pfsense | 1 Pfsense | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location. | |||||
CVE-2022-23993 | 1 Pfsense | 2 Pfsense, Pfsense Plus | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS. | |||||
CVE-2020-26693 | 1 Pfsense | 1 Pfsense | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function. | |||||
CVE-2021-27933 | 1 Pfsense | 1 Pfsense | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field. | |||||
CVE-2016-10709 | 1 Pfsense | 1 Pfsense | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
pfSense before 2.3 allows remote authenticated users to execute arbitrary OS commands via a '|' character in the status_rrd_graph_img.php graph parameter, related to _rrd_graph_img.php. |