Vulnerabilities > Opnsense
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-23 | CVE-2023-27152 | Improper Restriction of Excessive Authentication Attempts vulnerability in Opnsense 23.1 DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication. | 9.8 |
| 2023-09-28 | CVE-2023-44275 | Cross-site Scripting vulnerability in Opnsense OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard. | 5.4 |
| 2023-09-28 | CVE-2023-44276 | Cross-site Scripting vulnerability in Opnsense OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard. | 5.4 |
| 2023-08-09 | CVE-2023-38997 | Path Traversal vulnerability in Opnsense A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive. | 7.2 |
| 2023-08-09 | CVE-2023-38998 | Open Redirect vulnerability in Opnsense An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL. | 6.1 |
| 2023-08-09 | CVE-2023-38999 | Cross-Site Request Forgery (CSRF) vulnerability in Opnsense A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | 6.5 |
| 2023-08-09 | CVE-2023-39000 | Cross-site Scripting vulnerability in Opnsense A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path. | 6.1 |
| 2023-08-09 | CVE-2023-39001 | Command Injection vulnerability in Opnsense A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file. | 9.8 |
| 2023-08-09 | CVE-2023-39002 | Cross-site Scripting vulnerability in Opnsense A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 6.1 |
| 2023-08-09 | CVE-2023-39003 | Incorrect Permission Assignment for Critical Resource vulnerability in Opnsense OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp. | 7.5 |