Stored Cross-Site Scripting Vulnerability in Netgate pfSense Software
CVE-2020-19201

5.4MEDIUM

Key Information:

Vendor

Netgate

Status
Pfsense
Vendor
CVE Published:
12 July 2021

What is CVE-2020-19201?

A vulnerability was identified in the pfSense software's WebGUI that allows for Stored Cross-Site Scripting. The issue resides in the 'status_filter_reload.php' page, where the output from filter reload processes is not properly encoded. This failure creates a potential vector for attackers to exploit via the 'descr' (description) parameter present in NAT rules. Users operating pfSense versions 2.4.4-p2 and earlier are particularly at risk, as the flaw enables stored XSS, potentially compromising the security of the web interface.

References

https://www.pfsense.org/download/
x_refsource_MISC
https://docs.netgate.com/pfsense/en/latest/releases/2-4-4...
x_refsource_MISC
https://gist.github.com/dharmeshbaskaran/fd3779006361d076...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.