Cross-Site Scripting Vulnerability in pfSense CE and pfSense Plus
CVE-2022-23993

6.1MEDIUM

Key Information:

Vendor: Pfsense
Status: Pfsense Plus; Pfsense
Vendor: CVE Published:; 26 January 2022

What is CVE-2022-23993?

A vulnerability exists in the pfSense CE and pfSense Plus products where an unsafe use of user input in the PHP echo call within pkg.php can lead to Cross-Site Scripting (XSS) attacks. This issue arises from the improper handling of the 'pkg_filter' parameter from user requests, allowing an attacker to inject malicious scripts. Users are advised to update to the latest versions to mitigate potential exploitation risks.

References

https://github.com/pfsense/pfsense/commit/5d82cce0d615a76...

x_refsource_MISC

https://docs.netgate.com/downloads/pfSense-SA-22_04.webgu...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 26, 2022
Vulnerability Reserved
Jan 26, 2022

Pfsense

What is CVE-2022-23993?

References

CVSS V3.1

Timeline