Cross Site Scripting Vulnerability in Netgate pfSense by Netgate
CVE-2020-21487

9.6CRITICAL

Key Information:

Vendor: Netgate
Status: Pfsense; Pfsense Acme Package
Vendor: CVE Published:; 4 April 2023

What is CVE-2020-21487?

A Cross Site Scripting vulnerability exists in Netgate's pfSense version 2.4.4 and the ACME package version 0.6.3. This flaw allows attackers to exploit the RootFolder field in the acme_certificates.php file, potentially enabling them to execute arbitrary code, which could lead to unauthorized actions within the affected systems. Organizations utilizing these versions should assess their exposure and apply the necessary patches to mitigate risks.

References

https://github.com/pfsense/FreeBSD-ports/commit/a6f443cde...

https://redmine.pfsense.org/issues/9888

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2023
Vulnerability Reserved
Aug 13, 2020