Cross Site Scripting (XSS) Vulnerability in pfSense v.2.7.0 Allows Remote Attacker to Gain Privileges
CVE-2023-42325

5.4MEDIUM

Key Information:

Vendor: Netgate
Status: Pfsense
Vendor: CVE Published:; 14 November 2023

Badges

👾 Exploit Exists🟣 EPSS 48%📰 News Worthy

What is CVE-2023-42325?

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.

News Articles

GBHackers News

CVE-2023-42325 CVE-2023-42326

Over 1,450 pfSense Servers Exposed RCE Attacks via Bug Chain

Researchers discovered two vulnerabilities in pfSense servers CE related to Cross-Site Scripting (XSS) and Command Injection.

SC Media

CVE-2023-42325 CVE-2023-42327

RCE attacks could impact most internet-exposed pfSense instances

More than 92% of internet-exposed instances of the pfSense open-source firewall and router software could be compromised to achieve remote code execution by chaining the reflective XSS vulnerabilities, tracked as CVE-2023-42325 and CVE-2023-42327, as well as the command injection bug, tracked as CVE...

References

https://docs.netgate.com/downloads/pfSense-SA-23_09.webgu...

https://www.sonarsource.com/blog/pfsense-vulnerabilities-...

EPSS Score

48% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Sep 2, 2024
📰
First article discovered by SC Media
Dec 13, 2023
Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Sep 8, 2023