Cross Site Scripting Vulnerability in Netgate pfSense and ACME Package
CVE-2020-21219

6.1MEDIUM

Key Information:

Vendor: Netgate
Status: Pfsense; Acme
Vendor: CVE Published:; 15 December 2022

What is CVE-2020-21219?

A Cross Site Scripting (XSS) vulnerability exists in Netgate pfSense 2.4.4-Release-p3 and the ACME package version 0.6.3. This vulnerability can be exploited by remote attackers to execute arbitrary code through manipulation of the RootFolder field on the acme_certificate_edit.php page of the ACME package. Attackers can use this flaw to send malicious scripts to unsuspecting users, potentially compromising sensitive information. Users of these affected versions should apply patches promptly to mitigate this risk.

References

https://github.com/pfsense/FreeBSD-ports/commit/a6f443cde...

https://redmine.pfsense.org/issues/9888

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2022
Vulnerability Reserved
Aug 13, 2020