Vulnerabilities > Opnsense > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-10-23 CVE-2023-27152 Improper Restriction of Excessive Authentication Attempts vulnerability in Opnsense 23.1
DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.
network
low complexity
opnsense CWE-307
critical
9.8
2023-08-09 CVE-2023-39001 Command Injection vulnerability in Opnsense
A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.
network
low complexity
opnsense CWE-77
critical
9.8
2023-08-09 CVE-2023-39004 Incorrect Permission Assignment for Critical Resource vulnerability in Opnsense
Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation.
network
low complexity
opnsense CWE-732
critical
9.8
2023-08-09 CVE-2023-39007 Cross-site Scripting vulnerability in Opnsense
/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.
network
low complexity
opnsense CWE-79
critical
9.6
2023-08-09 CVE-2023-39008 Command Injection vulnerability in Opnsense
A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.
network
low complexity
opnsense CWE-77
critical
9.8