OpenCVE

/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Opnsense	Opnsense

Configuration 1 [-]

cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/opnsense/core/commit/5edff49db1cd8b5078611e2f542d91c02af2b25c
https://github.com/opnsense/core/compare/23.1.11...23.7
https://logicaltrust.net/blog/2023/08/opnsense.html

History

Fri, 11 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-09T00:00:00

Updated: 2024-10-10T18:23:11.465Z

Reserved: 2023-07-25T00:00:00

Link: CVE-2023-39007

Vulnrichment

Updated: 2024-08-02T17:54:39.865Z

NVD

Status : Modified

Published: 2023-08-09T19:15:15.207

Modified: 2024-11-21T08:14:36.773

Link: CVE-2023-39007

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4C1BDFF-B6E1-4F82-9957-1FFA069E2EDC", "versionEndExcluding": "23.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php."}, {"lang": "es", "value": "/ui/cron/item/open en el componente Cron de OPNsense Community Edition antes de 23.7 y Business Edition antes de 23.4.2 permite XSS a trav\u00e9s de openAction en app/controllers/OPNsense/Cron/ItemController.php."}], "id": "CVE-2023-39007", "lastModified": "2024-11-21T08:14:36.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-09T19:15:15.207", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/opnsense/core/commit/5edff49db1cd8b5078611e2f542d91c02af2b25c"}, {"source": "cve@mitre.org", "url": "https://github.com/opnsense/core/compare/23.1.11...23.7"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://logicaltrust.net/blog/2023/08/opnsense.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/opnsense/core/commit/5edff49db1cd8b5078611e2f542d91c02af2b25c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/opnsense/core/compare/23.1.11...23.7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://logicaltrust.net/blog/2023/08/opnsense.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}