本ページは netgate pfsense に影響する公開済み CVE(NVD の CPE 経由で関連付け)を列挙します。各行に深刻度指標・概要・公開日が含まれます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2024-46538 | A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php. | [email protected] | 4.8 | 83.65% | 2024-10-22 | 2024-10-30 |
| CVE-2023-48123 | An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file. | [email protected] | 8.8 | 68.25% | 2023-12-06 | 2024-11-21 |
| CVE-2023-42326 | An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components. | [email protected] | 8.8 | 85.26% | 2023-11-14 | 2024-11-21 |
| CVE-2023-42327 | Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page. | [email protected] | 5.4 | 48.31% | 2023-11-14 | 2024-11-21 |
| CVE-2023-42325 | Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page. | [email protected] | 5.4 | 48.31% | 2023-11-14 | 2024-11-21 |
| CVE-2020-21487 | Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php. | [email protected] | 9.6 | 2.81% | 2023-04-04 | 2025-02-13 |
| CVE-2023-27253 | A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml. | [email protected] | 8.8 | 79.16% | 2023-03-17 | 2024-11-21 |
| CVE-2022-29273 | pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters. | [email protected] | 6.1 | 9.44% | 2023-02-22 | 2024-11-21 |
| CVE-2020-21219 | Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package. | [email protected] | 6.1 | 0.62% | 2022-12-15 | 2025-04-25 |
| CVE-2022-26019 | Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution. | [email protected] | 8.8 | 1.11% | 2022-03-31 | 2024-11-21 |
| CVE-2022-24299 | Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command. | [email protected] | 8.8 | 0.27% | 2022-03-31 | 2024-11-21 |
| CVE-2020-19203 | An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS. | [email protected] | 5.4 | 1.20% | 2021-07-12 | 2024-11-21 |
| CVE-2020-19201 | A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules. | [email protected] | 5.4 | 0.80% | 2021-07-12 | 2024-11-21 |
| CVE-2020-10797 | An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed. | [email protected] | 6.1 | 4.10% | 2020-04-29 | 2024-11-21 |
| CVE-2020-11457 | pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user. | [email protected] | 5.4 | 5.95% | 2020-04-01 | 2024-11-21 |
| CVE-2019-16667 | diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing. | [email protected] | 8.8 | 56.10% | 2019-09-26 | 2024-11-21 |
| CVE-2019-16915 | An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents. | [email protected] | 9.8 | 2.72% | 2019-09-26 | 2024-11-21 |
| CVE-2019-16914 | An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization. | [email protected] | 6.1 | 1.83% | 2019-09-26 | 2024-11-21 |
| CVE-2019-16701 | pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value. | [email protected] | 8.8 | 20.46% | 2019-09-25 | 2024-11-21 |
| CVE-2019-12949 | In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. Then, the remote attacker can run any command with root privileges on that server. | [email protected] | 6.1 | 12.39% | 2019-06-25 | 2024-11-21 |