#VU35860 Cross-site scripting in pfsense


Published: 2019-06-03 | Updated: 2020-08-08

Vulnerability identifier: #VU35860

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12584

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pfsense
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Rubicon Communications

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.

Mitigation
Install update from vendor's website.

Vulnerable software versions

pfsense: 2.4.0 - 2.4.3_1

External links
http://ctrsec.io/index.php/2019/05/28/cve-2019-12584-12585-command-injection-vulnerability-on-pfsense-2-4-4-release-p3/
http://github.com/pfsense/FreeBSD-ports/commit/b492c0ea47aba8dde2f14183e71498ba207594e3
http://redmine.pfsense.org/issues/9556

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in pfsense