Vulnerabilities > Opnsense

DATE CVE VULNERABILITY TITLE RISK
2023-10-23 CVE-2023-27152 Improper Restriction of Excessive Authentication Attempts vulnerability in Opnsense 23.1
DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.
network
low complexity
opnsense CWE-307
critical
9.8
2023-09-28 CVE-2023-44275 Cross-site Scripting vulnerability in Opnsense
OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard.
network
low complexity
opnsense CWE-79
5.4
2023-09-28 CVE-2023-44276 Cross-site Scripting vulnerability in Opnsense
OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.
network
low complexity
opnsense CWE-79
5.4
2023-08-09 CVE-2023-38997 Path Traversal vulnerability in Opnsense
A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive.
network
low complexity
opnsense CWE-22
7.2
2023-08-09 CVE-2023-38998 Open Redirect vulnerability in Opnsense
An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.
network
low complexity
opnsense CWE-601
6.1
2023-08-09 CVE-2023-38999 Cross-Site Request Forgery (CSRF) vulnerability in Opnsense
A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
network
low complexity
opnsense CWE-352
6.5
2023-08-09 CVE-2023-39000 Cross-site Scripting vulnerability in Opnsense
A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path.
network
low complexity
opnsense CWE-79
6.1
2023-08-09 CVE-2023-39001 Command Injection vulnerability in Opnsense
A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.
network
low complexity
opnsense CWE-77
critical
9.8
2023-08-09 CVE-2023-39002 Cross-site Scripting vulnerability in Opnsense
A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
network
low complexity
opnsense CWE-79
6.1
2023-08-09 CVE-2023-39003 Incorrect Permission Assignment for Critical Resource vulnerability in Opnsense
OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.
network
low complexity
opnsense CWE-732
7.5