CVE-2019-12347

Published: May 29, 2019Modified: Nov 21, 2024

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.

Affected (1)

Products: Netgate: Pfsense

Netgate

1 product

Pfsense

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Netgate Pfsense	Version 2.4.4 p3

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (10)

http://packetstormsecurity.com/files/153112/pfSense-2.4.4-p3-Cross-Site-Scripting.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://ctrsec.io/index.php/2019/05/28/stored-xss-acme-pfsense-2-4-4-p3/

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://github.com/pfsense/FreeBSD-ports/commit/504909564079e540689dbdbed3a579483c614275

Source: cve@mitre.org

PatchThird Party Advisory

https://redmine.pfsense.org/issues/9554#change-40729

Source: cve@mitre.org

ExploitVendor Advisory

https://www.pfsense.org/download/

Source: cve@mitre.org

Vendor Advisory

http://packetstormsecurity.com/files/153112/pfSense-2.4.4-p3-Cross-Site-Scripting.html