Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-15_01.webgui: Multiple Cross-Site Request Forgery protection bypass vulnerabilities in the pfSense WebGUI

Back to Search

pfSense: pfSense-SA-15_01.webgui: Multiple Cross-Site Request Forgery protection bypass vulnerabilities in the pfSense WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
01/23/2015
Created
07/25/2018
Added
08/25/2017
Modified
07/13/2021

Description

Multiple Cross-Site Scripting vulnerabilities were discovered in the pfSense WebGUI during a security audit. * Multiple XSS in System > Advanced, Notifications page. * XSS in captive portal status widget * XSS in edit.php Due to the lack of encoding on the affected actions and pages, an attacker could cause an administrator's browser session to trigger an unwanted action by getting them to browse to a crafted URL.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;