vulnerability

pfSense: pfSense-SA-18_04.webgui: LFI Vulnerability in the pfSense WebGUI

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:C/I:N/A:N)	May 1, 2018	May 15, 2018	Feb 18, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Published

May 1, 2018

Added

May 15, 2018

Modified

Feb 18, 2025

Description

A Local File Include (LFI) vulnerability was discovered in pkg_mgr_install.php,
a part of the pfSense WebGUI, via the logfilename parameter.

The logfilename parameter on pkg_mgr_install.php in an AJAX request was used to
specify a file to read, ending in .txt. This file name was not sanitized or
restricted to a specific path.

An authenticated user sending a specially crafted POST request could read any
file on the filesystem with a name ending in '.txt'.

Solution

pfsense-upgrade-latest

References

URL-https://pfsense.org/security/advisories/pfSense-SA-18_04.webgui.asc

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today