Improper Access Control in OPNsense and pfSense WebUI
CVE-2019-11816

7.2HIGH

Key Information:

Vendor: Netgate
Status: Pfsense; Opnsense
Vendor: CVE Published:; 20 May 2019

What is CVE-2019-11816?

The WebUI in OPNsense prior to version 19.1.8 and pfSense before 2.4.4-p3 contains an improper access control issue that allows remote authenticated users to escalate privileges to an administrator level. By exploiting this vulnerability with a specially crafted request, attackers can gain unauthorized administrative access, potentially compromising the integrity and confidentiality of the system.

References

https://forum.opnsense.org/index.php?topic=12787.0

x_refsource_CONFIRM

https://www.netgate.com/blog/pfsense-2-4-4-release-p3-now...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2019
Vulnerability Reserved
May 8, 2019

Netgate

What is CVE-2019-11816?

References

CVSS V3.1

Timeline