Pfsense
by Pfsense
Source repositories
CVEs (48)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-29975 | 0.00 | — | 0.02 | Nov 9, 2023 | An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification. | |||
| CVE-2023-29973 | 0.00 | — | 0.02 | Oct 24, 2023 | Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall. | |||
| CVE-2020-19678 | 0.00 | — | 0.03 | Apr 6, 2023 | Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php. | |||
| CVE-2020-21487 | 0.00 | — | 0.01 | Apr 4, 2023 | Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php. | |||
| CVE-2022-42247 | 0.00 | — | 0.02 | Oct 3, 2022 | pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name. | |||
| CVE-2022-23993 | 0.00 | — | 0.02 | Jan 26, 2022 | /usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS. | |||
| CVE-2020-26693 | 0.00 | — | 0.05 | Jun 1, 2021 | A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function. | |||
| CVE-2021-27933 | 0.00 | — | 0.27 | Apr 28, 2021 | pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field. | |||
| CVE-2020-10797 | 0.00 | — | 0.02 | Apr 29, 2020 | An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed. | |||
| CVE-2019-16914 | 0.00 | — | 0.02 | Sep 26, 2019 | An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization. | |||
| CVE-2019-16915 | 0.00 | — | 0.04 | Sep 26, 2019 | An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents. | |||
| CVE-2019-16701 | 0.00 | — | 0.20 | Sep 25, 2019 | pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value. | |||
| CVE-2019-12585 | 0.00 | — | 0.05 | Jun 3, 2019 | Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php. | |||
| CVE-2019-12584 | 0.00 | — | 0.03 | Jun 3, 2019 | Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php. | |||
| CVE-2019-11816 | 0.00 | — | 0.03 | May 20, 2019 | Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request. | |||
| CVE-2018-20798 | 0.00 | — | 0.01 | Mar 1, 2019 | The expiretable configuration in pfSense 2.4.4_1 establishes block durations that are incompatible with the block durations implemented by sshguard, which might make it easier for attackers to bypass intended access restrictions. | |||
| CVE-2018-20799 | 0.00 | — | 0.02 | Mar 1, 2019 | In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP addresses on the basis of failed SSH authentication (the behavior does not match the sshguard documentation), which might make it easier for… | |||
| CVE-2015-6511 | 0.00 | — | 0.02 | Aug 18, 2015 | Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the server[] parameter to services_ntpd.php. | |||
| CVE-2015-6510 | 0.00 | — | 0.02 | Aug 18, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) srctrack, (2) use_mfs_tmp_size, or (3) use_mfs_var_size parameter to system_advanced_misc.php; the (4) port, (5) snaplen, or (6)… | |||
| CVE-2015-6509 | 0.00 | — | 0.02 | Aug 18, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) proxypass parameter to system_advanced_misc.php; (2) adaptiveend, (3) adaptivestart, (4) maximumstates, (5) maximumtableentries,… |
- CVE-2023-29975Nov 9, 2023risk 0.00cvss —epss 0.02
An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification.
- CVE-2023-29973Oct 24, 2023risk 0.00cvss —epss 0.02
Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.
- CVE-2020-19678Apr 6, 2023risk 0.00cvss —epss 0.03
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
- CVE-2020-21487Apr 4, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php.
- CVE-2022-42247Oct 3, 2022risk 0.00cvss —epss 0.02
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
- CVE-2022-23993Jan 26, 2022risk 0.00cvss —epss 0.02
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS.
- CVE-2020-26693Jun 1, 2021risk 0.00cvss —epss 0.05
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function.
- CVE-2021-27933Apr 28, 2021risk 0.00cvss —epss 0.27
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.
- CVE-2020-10797Apr 29, 2020risk 0.00cvss —epss 0.02
An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.
- CVE-2019-16914Sep 26, 2019risk 0.00cvss —epss 0.02
An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization.
- CVE-2019-16915Sep 26, 2019risk 0.00cvss —epss 0.04
An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.
- CVE-2019-16701Sep 25, 2019risk 0.00cvss —epss 0.20
pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.
- CVE-2019-12585Jun 3, 2019risk 0.00cvss —epss 0.05
Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.
- CVE-2019-12584Jun 3, 2019risk 0.00cvss —epss 0.03
Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.
- CVE-2019-11816May 20, 2019risk 0.00cvss —epss 0.03
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
- CVE-2018-20798Mar 1, 2019risk 0.00cvss —epss 0.01
The expiretable configuration in pfSense 2.4.4_1 establishes block durations that are incompatible with the block durations implemented by sshguard, which might make it easier for attackers to bypass intended access restrictions.
- CVE-2018-20799Mar 1, 2019risk 0.00cvss —epss 0.02
In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP addresses on the basis of failed SSH authentication (the behavior does not match the sshguard documentation), which might make it easier for…
- CVE-2015-6511Aug 18, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the server[] parameter to services_ntpd.php.
- CVE-2015-6510Aug 18, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) srctrack, (2) use_mfs_tmp_size, or (3) use_mfs_var_size parameter to system_advanced_misc.php; the (4) port, (5) snaplen, or (6)…
- CVE-2015-6509Aug 18, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) proxypass parameter to system_advanced_misc.php; (2) adaptiveend, (3) adaptivestart, (4) maximumstates, (5) maximumtableentries,…
Page 2 of 3