Cross-Site Scripting Vulnerability in OPNsense Community and Business Editions
CVE-2023-39002

6.1MEDIUM

Key Information:

Vendor: Opnsense
Status: Opnsense
Vendor: CVE Published:; 9 August 2023

What is CVE-2023-39002?

A cross-site scripting (XSS) vulnerability has been identified in the act parameter of system_certmanager.php in OPNsense Community Edition prior to version 23.7 and Business Edition before version 23.4.2. This flaw allows attackers to craft malicious payloads that can execute arbitrary web scripts or HTML, potentially compromising the security of the web application and its users. It is crucial for system administrators to apply the necessary updates to mitigate this security risk and maintain the integrity of their systems.

References

https://github.com/opnsense/core/commit/a4f6a8f8d604271f8...

https://logicaltrust.net/blog/2023/08/opnsense.html

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 9, 2023
Vulnerability Reserved
Jul 25, 2023

CVE-2023-39002 Data

JSON

Opnsense

What is CVE-2023-39002?

References

EPSS Score

CVSS V3.1

Timeline