header-logo
Suggest Exploit
vendor:
pfSense
by:
High-Tech Bridge Security Research Lab
2.65.4
CVSS
MEDIUM
Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
79, 352
CWE
Product Name: pfSense
Affected Version From: 2.2 and probably prior
Affected Version To: 2.2
Patch Exists: YES
Related CWE: CVE-2015-2294, CVE-2015-2295
CPE: a:electric_sheep_fencing_llc:pfsense
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2015

Multiple XSS and CSRF vulnerabilities in pfSense

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web interface of pfSense, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of pfSense and delete arbitrary files via CSRF (Cross-Site Request Forgery) attacks. Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root privileges, steal administrator’s cookies and gain complete control over the web application and even the entire system, as pfSense is running with root privileges and allows OS command execution via its web interface.

Mitigation:

Fixed by Vendor
Source

Exploit-DB raw data: