Clickjacking Vulnerability in pfSense Web Application
CVE-2017-1000479

8.8HIGH

Key Information:

Vendor

Opnsense Project

Status
Opnsense
Pfsense
Vendor
CVE Published:
3 January 2018

What is CVE-2017-1000479?

The pfSense web application, specifically versions 2.4.1 and earlier, is subject to a clickjacking vulnerability via the CSRF error page. Attackers can exploit this flaw due to improper implementation of the X-Frame-Options header, allowing unauthorized privileged execution of arbitrary code. With the error detection process occurring prior to setting this security header, users may fall prey to hidden malicious content. PfSense version 2.4.2-RELEASE addresses this vulnerability, while the OPNsense fork has remained secure since version 16.1.16. The unprotected web form was removed during an internal audit, reflecting a proactive approach to application security.

References

https://doc.pfsense.org/index.php/2.4.2_New_Features_and_...
x_refsource_MISC
https://www.netgate.com/blog/pfsense-2-4-2-release-p1-and...
x_refsource_MISC
https://github.com/opnsense/core/commit/d218b225
x_refsource_MISC

EPSS Score

18% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.