XSS Vulnerability in pfsense Network Firewall Software
CVE-2020-10797

6.1MEDIUM

Key Information:

Vendor

Netgate

Status
Pfsense
Vendor
CVE Published:
29 April 2020

What is CVE-2020-10797?

An XSS vulnerability exists in the hostname field of the diag_ping.php page within pfsense before version 2.4.5. This flaw arises when user inputs are manipulated and passed to a command without proper sanitization, exposing the application to potential attacks. Attackers may exploit this weakness to inject malicious scripts, which can then be executed in the context of the user's browser, leading to unauthorized access or data theft.

References

https://redmine.pfsense.org/issues/10355
x_refsource_MISC
https://github.com/pfsense/pfsense/commit/cc3990a33405901...
x_refsource_MISC
https://docs.netgate.com/pfsense/en/latest/releases/2-4-5...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.