CVE-2023-27253

Published: Mar 17, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

Affected (1)

Products: Netgate: Pfsense

Netgate

1 product

Pfsense

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Netgate Pfsense	Version 2.7.0

Related CWEs

CWE-91

XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

References (6)

http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html

Source: cve@mitre.org

https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94

Source: cve@mitre.org

Patch

https://redmine.pfsense.org/issues/13935

Source: cve@mitre.org

Issue TrackingPatchVendor Advisory

http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://redmine.pfsense.org/issues/13935

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.