CVE-2016-10709

Опубликовано: 22 янв. 2018

Источник: nvd

CVSS3: 8.8

CVSS2: 9

EPSS Высокий

Описание

pfSense before 2.3 allows remote authenticated users to execute arbitrary OS commands via a '|' character in the status_rrd_graph_img.php graph parameter, related to _rrd_graph_img.php.

Ссылки

https://www.exploit-db.com/exploits/39709/
Exploit
Third Party Advisory
VDB Entry
https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
Vendor Advisory
https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_graph_injection_exec
Exploit
Third Party Advisory
https://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
Exploit
Third Party Advisory
https://www.exploit-db.com/exploits/39709/
Exploit
Third Party Advisory
VDB Entry
https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
Vendor Advisory
https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_graph_injection_exec
Exploit
Third Party Advisory
https://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pfsense:pfsense:*:*:*:*:community:*:*:*

Версия до 2.2.6 (включая)

EPSS

Процентиль: 99%

0.75579

Высокий

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-wcgm-j5v9-x43g