Cross-Site Scripting Vulnerability in pfSense by Netgate
CVE-2019-12949

6.1MEDIUM

Key Information:

Vendor: Netgate
Status: Pfsense
Vendor: CVE Published:; 25 June 2019

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 11%

What is CVE-2019-12949?

In pfSense versions 2.4.4-p2 and 2.4.4-p3, an attacker can exploit a vulnerability involving phishing to trick an authenticated administrator into interacting with a malicious page. By clicking on a compromised button, the attacker can perform Cross-Site Scripting (XSS), enabling the upload of arbitrary executable code through the diag_command.php and rrd_fetch_json.php scripts. This exploit allows unrestricted command execution with root privileges on the affected server, posing a significant risk to system integrity and security.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-12949
Created by tarantula-team

References

https://github.com/tarantula-team/CVE-2019-12949

x_refsource_MISC

EPSS Score

11% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 25, 2019
👾
Exploit known to exist
Jun 25, 2019
Vulnerability published
Jun 25, 2019
Vulnerability Reserved
Jun 24, 2019