Vulnerabilities > Netgate > Pfsense
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-12 | CVE-2020-19201 | Cross-site Scripting vulnerability in Netgate Pfsense A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. | 3.5 |
| 2021-07-12 | CVE-2020-19203 | Cross-site Scripting vulnerability in Netgate Pfsense An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. | 3.5 |
| 2020-04-29 | CVE-2020-10797 | Cross-site Scripting vulnerability in Netgate Pfsense An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. | 4.3 |
| 2020-04-01 | CVE-2020-11457 | Cross-site Scripting vulnerability in Netgate Pfsense pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user. | 3.5 |
| 2019-09-26 | CVE-2019-16667 | Cross-Site Request Forgery (CSRF) vulnerability in Netgate Pfsense 2.4.4 diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands. | 6.8 |
| 2019-09-26 | CVE-2019-16915 | Improper Input Validation vulnerability in Netgate Pfsense An issue was discovered in pfSense through 2.4.4-p3. | 7.5 |
| 2019-09-26 | CVE-2019-16914 | Cross-site Scripting vulnerability in Netgate Pfsense An XSS issue was discovered in pfSense through 2.4.4-p3. | 4.3 |
| 2019-09-25 | CVE-2019-16701 | OS Command Injection vulnerability in Netgate Pfsense pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value. | 9.0 |
| 2019-06-25 | CVE-2019-12949 | Cross-site Scripting vulnerability in Netgate Pfsense 2.4.4 In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. | 4.3 |
| 2019-06-03 | CVE-2019-12585 | OS Command Injection vulnerability in multiple products Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php. | 7.5 |