Cross-Site Scripting Vulnerability in pfSense by Netgate
CVE-2019-12949

6.1MEDIUM

Key Information:

Vendor

Netgate

Status
Pfsense
Vendor
CVE Published:
25 June 2019

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 12%

What is CVE-2019-12949?

In pfSense versions 2.4.4-p2 and 2.4.4-p3, an attacker can exploit a vulnerability involving phishing to trick an authenticated administrator into interacting with a malicious page. By clicking on a compromised button, the attacker can perform Cross-Site Scripting (XSS), enabling the upload of arbitrary executable code through the diag_command.php and rrd_fetch_json.php scripts. This exploit allows unrestricted command execution with root privileges on the affected server, posing a significant risk to system integrity and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-12949
Created by tarantula-team

References

https://github.com/tarantula-team/CVE-2019-12949
x_refsource_MISC

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.