Cross Site Scripting in Netgate pfSense Affects Remote Access Management
CVE-2023-42327

5.4MEDIUM

Key Information:

Vendor: Netgate
Status: Pfsense
Vendor: CVE Published:; 14 November 2023

Badges

🟣 EPSS 48%📰 News Worthy

What is CVE-2023-42327?

A Cross Site Scripting (XSS) vulnerability exists in Netgate pfSense version 2.7.0, enabling a remote attacker to manipulate web requests to the getserviceproviders.php page. By sending a crafted URL, the attacker can exploit this vulnerability to gain unauthorized privileges, potentially compromising the integrity of the network management interface.

News Articles

SC Media

CVE-2023-42325 CVE-2023-42327

RCE attacks could impact most internet-exposed pfSense instances

More than 92% of internet-exposed instances of the pfSense open-source firewall and router software could be compromised to achieve remote code execution by chaining the reflective XSS vulnerabilities, tracked as CVE-2023-42325 and CVE-2023-42327, as well as the command injection bug, tracked as CVE...

References

https://docs.netgate.com/downloads/pfSense-SA-23_08.webgu...

https://www.sonarsource.com/blog/pfsense-vulnerabilities-...

EPSS Score

48% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by SC Media
Dec 13, 2023
Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Sep 8, 2023