Total
49 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-21219 | 1 Netgate | 2 Acme, Pfsense | 2025-04-25 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package.
|
|||||
| CVE-2014-4693 | 2 Netgate, Pfsense | 2 Pfsense, Snort Package | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Snort package before 3.0.13 for pfSense through 2.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the eng parameter to snort_import_aliases.php or (2) unspecified variables to snort_select_alias.php.
|
|||||
| CVE-2014-4696 | 2 Netgate, Pfsense | 2 Pfsense, Suricata Package | 2025-04-12 | 5.8 MEDIUM | N/A |
|
Multiple open redirect vulnerabilities in the Suricata package before 1.0.6 for pfSense through 2.1.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via (1) the referer parameter to suricata_rules_flowbits.php or (2) the returl parameter to suricata_select_alias.php.
|
|||||
| CVE-2014-4687 | 1 Netgate | 1 Pfsense | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the starttime0 parameter to firewall_schedule.php, (2) the rssfeed parameter to rss.widget.php, (3) the servicestatusfilter parameter to services_status.widget.php, (4) the txtRecallBuffer parameter to exec.php, or (5) the HTTP Referer header to log.widget.php.
|
|||||
| CVE-2014-4692 | 1 Netgate | 1 Pfsense | 2025-04-12 | 4.3 MEDIUM | N/A |
|
pfSense before 2.1.4, when HTTP is used, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
|
|||||
| CVE-2015-2294 | 1 Netgate | 1 Pfsense | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable parameter to firewall_rules.php; (4) queue parameter in an add action to firewall_shaper.php; (5) id parameter in an edit action to services_unbound_acls.php; or (6) filterlogentries_time, (7) filterlogentries_sourceipaddress, (8) filterlogentries_sourceport, (9) filt ...
Show More |
|||||
| CVE-2015-1414 | 3 Debian, Freebsd, Netgate | 3 Debian Linux, Freebsd, Pfsense | 2025-04-12 | 7.8 HIGH | N/A |
|
Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.
|
|||||
| CVE-2014-4694 | 2 Netgate, Pfsense | 2 Pfsense, Suricata Package | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in suricata_select_alias.php in the Suricata package before 1.0.6 for pfSense through 2.1.4 allow remote attackers to inject arbitrary web script or HTML via unspecified variables.
|
|||||
| CVE-2015-2295 | 1 Netgate | 1 Pfsense | 2025-04-12 | 6.8 MEDIUM | N/A |
|
Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter.
|
|||||
| CVE-2015-4029 | 1 Netgate | 1 Pfsense | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in the WebGUI in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the zone parameter in a del action to services_captiveportal_zones.php.
|
|||||
| CVE-2015-6508 | 1 Netgate | 1 Pfsense | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the descr parameter in a "new" action to system_authservers.php.
|
|||||
| CVE-2015-6510 | 1 Netgate | 1 Pfsense | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) srctrack, (2) use_mfs_tmp_size, or (3) use_mfs_var_size parameter to system_advanced_misc.php; the (4) port, (5) snaplen, or (6) count parameter to diag_packet_capture.php; the (7) pppoe_resethour, (8) pppoe_resetminute, (9) wpa_group_rekey, or (10) wpa_gmk_rekey parameter to interfaces.php; the (11) pppoe_resethour or (12) pppoe_resetminute parame ...
Show More |
|||||
| CVE-2014-4691 | 1 Netgate | 1 Pfsense | 2025-04-12 | 6.8 MEDIUM | N/A |
|
Session fixation vulnerability in pfSense before 2.1.4 allows remote attackers to hijack web sessions via a firewall login cookie.
|
|||||
| CVE-2014-4688 | 1 Netgate | 1 Pfsense | 2025-04-12 | 6.5 MEDIUM | N/A |
|
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php.
|
|||||
| CVE-2015-6511 | 1 Netgate | 1 Pfsense | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the server[] parameter to services_ntpd.php.
|
|||||
| CVE-2014-4695 | 2 Netgate, Pfsense | 2 Pfsense, Snort Package | 2025-04-12 | 5.8 MEDIUM | N/A |
|
Multiple open redirect vulnerabilities in the Snort package before 3.0.13 for pfSense through 2.1.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via (1) the referer parameter to snort_rules_flowbits.php or (2) the returl parameter to snort_select_alias.php.
|
|||||
| CVE-2015-6509 | 1 Netgate | 1 Pfsense | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) proxypass parameter to system_advanced_misc.php; (2) adaptiveend, (3) adaptivestart, (4) maximumstates, (5) maximumtableentries, or (6) aliasesresolveinterval parameter to system_advanced_firewall.php; (7) proxyurl, (8) proxyuser, or (9) proxyport parameter to system_advanced_misc.php; or (10) name, (11) notification_name, (12) ipaddress, (13) pass ...
Show More |
|||||
| CVE-2014-4690 | 1 Netgate | 1 Pfsense | 2025-04-12 | 5.0 MEDIUM | N/A |
|
Multiple directory traversal vulnerabilities in pfSense before 2.1.4 allow (1) remote attackers to read arbitrary .info files via a crafted path in the pkg parameter to pkg_mgr_install.php and allow (2) remote authenticated users to read arbitrary files via the downloadbackup parameter to system_firmware_restorefullbackup.php.
|
|||||
| CVE-2014-4689 | 1 Netgate | 1 Pfsense | 2025-04-12 | 5.0 MEDIUM | N/A |
|
Absolute path traversal vulnerability in pkg_edit.php in pfSense before 2.1.4 allows remote attackers to read arbitrary XML files via a full pathname in the xml parameter.
|
|||||
| CVE-2020-21487 | 1 Netgate | 2 Pfsense, Pfsense Acme Package | 2025-02-13 | N/A | 9.6 CRITICAL |
|
Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php.
|
|||||
| CVE-2023-48123 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2024-11-21 | N/A | 8.8 HIGH |
|
An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packet_capture.php file.
|
|||||
| CVE-2023-42327 | 1 Netgate | 1 Pfsense | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
|
|||||
| CVE-2023-42326 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2024-11-21 | N/A | 8.8 HIGH |
|
An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.
|
|||||
| CVE-2023-42325 | 1 Netgate | 1 Pfsense | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
|
|||||
| CVE-2023-27253 | 1 Netgate | 1 Pfsense | 2024-11-21 | N/A | 8.8 HIGH |
|
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.
|
|||||
| CVE-2022-29273 | 1 Netgate | 1 Pfsense | 2024-11-21 | N/A | 6.1 MEDIUM |
|
pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.
|
|||||
| CVE-2022-26019 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2024-11-21 | 8.5 HIGH | 8.8 HIGH |
|
Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.
|
|||||
| CVE-2022-24299 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.
|
|||||
| CVE-2020-19203 | 1 Netgate | 1 Pfsense | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.
|
|||||
| CVE-2020-19201 | 1 Netgate | 1 Pfsense | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.
|
|||||
| CVE-2020-11457 | 1 Netgate | 1 Pfsense | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user.
|
|||||
| CVE-2020-10797 | 1 Netgate | 1 Pfsense | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.
|
|||||
| CVE-2019-16915 | 1 Netgate | 1 Pfsense | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.
|
|||||
| CVE-2019-16914 | 1 Netgate | 1 Pfsense | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization.
|
|||||
| CVE-2019-16701 | 1 Netgate | 1 Pfsense | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.
|
|||||
| CVE-2019-16667 | 1 Netgate | 1 Pfsense | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. This occurs because csrf_callback() produces a "CSRF token expired" error and a Try Again button when a CSRF token is missing.
|
|||||
| CVE-2019-12949 | 1 Netgate | 1 Pfsense | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. Then, the remote attacker can run any command with root privileges on that server.
|
|||||
| CVE-2019-12585 | 2 Apcupsd, Netgate | 2 Apcupsd, Pfsense | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.
|
|||||
| CVE-2019-12584 | 2 Apcupsd, Netgate | 2 Apcupsd, Pfsense | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.
|
|||||
| CVE-2019-12347 | 1 Netgate | 1 Pfsense | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.
|
|||||