Описание
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.
Ссылки
- Vendor Advisory
- Third Party Advisory
- Vendor Advisory
- ProductRelease NotesVendor Advisory
- Vendor Advisory
- Third Party Advisory
- Vendor Advisory
- ProductRelease NotesVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.4.4 (исключая)
Одно из
cpe:2.3:a:netgate:pfsense:*:*:*:*:*:*:*:*
cpe:2.3:a:netgate:pfsense:2.4.4:-:*:*:*:*:*:*
cpe:2.3:a:netgate:pfsense:2.4.4:p1:*:*:*:*:*:*
cpe:2.3:a:netgate:pfsense:2.4.4:p2:*:*:*:*:*:*
EPSS
Процентиль: 79%
0.012
Низкий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 5.4
github
больше 3 лет назад
Netgate pfSense Community Edition 2.4.4 - p2 (arm64) is affected by: Cross Site Scripting (XSS). The impact is: Session Hijacking, Information Leakage (local). The component is: pfSense Dashboard, Work-on-LAN Service configuration. The attack vector is: Inject the malicious JavaScript code in Description text box or parameter.
EPSS
Процентиль: 79%
0.012
Низкий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79