Netgate pfSense 2.4.4

Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php.

Published: 2023-04-04T00:00:00.000Z
Updated: 2025-02-13T16:36:13.194Z

An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.

Published: 2021-07-12T15:39:07.000Z
Updated: 2024-08-04T14:08:30.664Z

An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.

Published: 2019-09-26T17:38:42.000Z
Updated: 2024-08-05T01:24:48.530Z

An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization.

Published: 2019-09-26T17:38:53.000Z
Updated: 2024-08-05T01:24:48.605Z

pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.

Published: 2019-09-25T15:45:56.000Z
Updated: 2024-08-05T01:17:41.164Z

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.

Published: 2019-06-03T02:28:08.000Z
Updated: 2024-08-04T23:24:38.689Z

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.

Published: 2019-06-03T02:27:47.000Z
Updated: 2024-08-04T23:24:39.165Z