Vulnerabilities > Pfsense

DATE CVE VULNERABILITY TITLE RISK
2023-11-09 CVE-2023-29975 Improper Authentication vulnerability in Pfsense 2.6.0
An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification.
network
low complexity
pfsense CWE-287
7.2
2023-11-08 CVE-2023-29974 Weak Password Requirements vulnerability in Pfsense 2.6.0
An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements.
network
low complexity
pfsense CWE-521
critical
9.8
2023-10-25 CVE-2023-29973 Allocation of Resources Without Limits or Throttling vulnerability in Pfsense 2.6.0
Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.
network
low complexity
pfsense CWE-770
4.9
2023-04-06 CVE-2020-19678 Path Traversal vulnerability in multiple products
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
network
low complexity
oisf pfsense CWE-22
7.5
2023-03-22 CVE-2023-27100 Improper Restriction of Excessive Authentication Attempts vulnerability in multiple products
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
network
low complexity
netgate pfsense CWE-307
critical
9.8
2022-12-20 CVE-2022-40624 OS Command Injection vulnerability in Pfsense Pfblockerng
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.
network
low complexity
pfsense CWE-78
critical
9.8
2022-10-03 CVE-2022-42247 Cross-site Scripting vulnerability in Pfsense 2.5.2
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component.
network
low complexity
pfsense CWE-79
6.1
2022-03-31 CVE-2021-20729 Cross-site Scripting vulnerability in multiple products
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.
network
low complexity
netgate pfsense CWE-79
6.1
2022-03-10 CVE-2022-21132 Path Traversal vulnerability in Pfsense Pfsense-Pkg-Wireguard 0.1.5/0.1.6
Directory traversal vulnerability in pfSense-pkg-WireGuard pfSense-pkg-WireGuard 0.1.5 versions prior to 0.1.5_4 and pfSense-pkg-WireGuard 0.1.6 versions prior to 0.1.6_1 allows a remote authenticated attacker to lead a pfSense user to view a file outside the public folder.
network
low complexity
pfsense CWE-22
6.5
2022-03-01 CVE-2021-41282 Injection vulnerability in Pfsense 2.5.2
diag_routes.php in pfSense 2.5.2 allows sed data injection.
network
low complexity
pfsense CWE-74
8.8