Filtered by vendor Pfsense Subscriptions
Total 22 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-46538 2 Netgate, Pfsense 2 Pfsense, Pfsense 2024-10-30 9.3 Critical
A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.
CVE-2023-29973 1 Pfsense 1 Pfsense 2024-09-17 4.9 Medium
Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.
CVE-2023-29974 1 Pfsense 1 Pfsense 2024-09-04 9.8 Critical
An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements.
CVE-2023-29975 1 Pfsense 1 Pfsense 2024-09-04 7.2 High
An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification.
CVE-2011-5047 1 Pfsense 1 Pfsense 2024-08-07 N/A
Cross-site scripting (XSS) vulnerability in status_rrd_graph.php in pfSense before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the style parameter.
CVE-2011-4197 1 Pfsense 1 Pfsense 2024-08-07 N/A
etc/inc/certs.inc in the PKI implementation in pfSense before 2.0.1 creates each X.509 certificate with a true value for the CA basic constraint, which allows remote attackers to create sub-certificates for arbitrary subjects by leveraging the private key.
CVE-2014-4694 2 Netgate, Pfsense 2 Pfsense, Suricata Package 2024-08-06 N/A
Multiple cross-site scripting (XSS) vulnerabilities in suricata_select_alias.php in the Suricata package before 1.0.6 for pfSense through 2.1.4 allow remote attackers to inject arbitrary web script or HTML via unspecified variables.
CVE-2014-4696 2 Netgate, Pfsense 2 Pfsense, Suricata Package 2024-08-06 N/A
Multiple open redirect vulnerabilities in the Suricata package before 1.0.6 for pfSense through 2.1.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via (1) the referer parameter to suricata_rules_flowbits.php or (2) the returl parameter to suricata_select_alias.php.
CVE-2014-4693 2 Netgate, Pfsense 2 Pfsense, Snort Package 2024-08-06 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Snort package before 3.0.13 for pfSense through 2.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the eng parameter to snort_import_aliases.php or (2) unspecified variables to snort_select_alias.php.
CVE-2014-4695 2 Netgate, Pfsense 2 Pfsense, Snort Package 2024-08-06 N/A
Multiple open redirect vulnerabilities in the Snort package before 3.0.13 for pfSense through 2.1.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via (1) the referer parameter to snort_rules_flowbits.php or (2) the returl parameter to snort_select_alias.php.
CVE-2016-10709 1 Pfsense 1 Pfsense 2024-08-06 N/A
pfSense before 2.3 allows remote authenticated users to execute arbitrary OS commands via a '|' character in the status_rrd_graph_img.php graph parameter, related to _rrd_graph_img.php.
CVE-2019-18667 1 Pfsense 1 Pfsense-pkg-freeradius3 2024-08-05 6.1 Medium
/usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD allows a user with an XSS payload as password or username to execute arbitrary javascript code on a victim browser.
CVE-2020-26693 1 Pfsense 1 Pfsense 2024-08-04 5.4 Medium
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function.
CVE-2020-19678 2 Oisf, Pfsense 3 Suricata, Pfsense, Suricata Package 2024-08-04 7.5 High
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
CVE-2021-41282 1 Pfsense 1 Pfsense 2024-08-04 8.8 High
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
CVE-2021-27933 1 Pfsense 1 Pfsense 2024-08-03 6.1 Medium
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.
CVE-2021-20729 2 Netgate, Pfsense 2 Pfsense Plus, Pfsense 2024-08-03 6.1 Medium
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.
CVE-2022-42247 1 Pfsense 1 Pfsense 2024-08-03 6.1 Medium
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-40624 1 Pfsense 1 Pfblockerng 2024-08-03 9.8 Critical
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.
CVE-2022-23993 1 Pfsense 2 Pfsense, Pfsense Plus 2024-08-03 6.1 Medium
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS.