Vulnerabilities > Opnsense > Opnsense > 15.7.17

DATE CVE VULNERABILITY TITLE RISK
2023-09-28 CVE-2023-44275 Cross-site Scripting vulnerability in Opnsense
OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard.
network
low complexity
opnsense CWE-79
5.4
5.4
2023-09-28 CVE-2023-44276 Cross-site Scripting vulnerability in Opnsense
OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.
network
low complexity
opnsense CWE-79
5.4
5.4
2023-08-09 CVE-2023-38997 Path Traversal vulnerability in Opnsense
A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive.
network
low complexity
opnsense CWE-22
7.2
7.2
2023-08-09 CVE-2023-38998 Open Redirect vulnerability in Opnsense
An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.
network
low complexity
opnsense CWE-601
6.1
6.1
2023-08-09 CVE-2023-38999 Cross-Site Request Forgery (CSRF) vulnerability in Opnsense
A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
network
low complexity
opnsense CWE-352
6.5
6.5
2023-08-09 CVE-2023-39000 Cross-site Scripting vulnerability in Opnsense
A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path.
network
low complexity
opnsense CWE-79
6.1
6.1
2023-08-09 CVE-2023-39001 Command Injection vulnerability in Opnsense
A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.
network
low complexity
opnsense CWE-77
critical
 9.8
9.8
2023-08-09 CVE-2023-39002 Cross-site Scripting vulnerability in Opnsense
A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
network
low complexity
opnsense CWE-79
6.1
6.1
2023-08-09 CVE-2023-39003 Incorrect Permission Assignment for Critical Resource vulnerability in Opnsense
OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.
network
low complexity
opnsense CWE-732
7.5
7.5
2023-08-09 CVE-2023-39004 Incorrect Permission Assignment for Critical Resource vulnerability in Opnsense
Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation.
network
low complexity
opnsense CWE-732
critical
 9.8
9.8