Every CVE whose affected-product data names Netgate Pfsense, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (49)
CVE-2019-12585 — CVSS 9.8 (critical): Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in…
CVE-2019-16915 — CVSS 9.8 (critical): An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without…
CVE-2020-21487 — CVSS 9.6 (critical): Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via…
CVE-2023-27253 — CVSS 8.8 (high): A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute…
CVE-2022-26019 — CVSS 8.8 (high): Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software…
CVE-2019-16701 — CVSS 8.8 (high): pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing…
CVE-2023-48123 — CVSS 8.8 (high): An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a…
CVE-2023-42326 — CVSS 8.8 (high): An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php…
CVE-2022-24299 — CVSS 8.8 (high): Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus…
CVE-2017-1000479 — CVSS 8.8 (high): pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of…
CVE-2018-16055 — CVSS 8.8 (high): An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4 due to…
CVE-2019-16667 — CVSS 8.8 (high): diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executing OS commands…
CVE-2015-1414 — CVSS 7.8 (high): Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a…
CVE-2018-20798 — CVSS 7.5 (high): The expiretable configuration in pfSense 2.4.4_1 establishes block durations that are incompatible with the block durations implemented by…
CVE-2018-20799 — CVSS 7.5 (high): In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP…
CVE-2018-4019 — CVSS 7.2 (high): An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific…
CVE-2018-4021 — CVSS 7.2 (high): An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific…
CVE-2019-11816 — CVSS 7.2 (high): Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to…
CVE-2018-4020 — CVSS 7.2 (high): An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific…
CVE-2015-2295 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows…
CVE-2014-4691 — CVSS 6.8 (medium): Session fixation vulnerability in pfSense before 2.1.4 allows remote attackers to hijack web sessions via a firewall login cookie.
CVE-2014-4688 — CVSS 6.5 (medium): pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create…
CVE-2019-16914 — CVSS 6.1 (medium): An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are…
CVE-2020-10797 — CVSS 6.1 (medium): An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the…
CVE-2020-21219 — CVSS 6.1 (medium): Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to…
CVE-2019-12347 — CVSS 6.1 (medium): In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an…
CVE-2019-12584 — CVSS 6.1 (medium): Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.
CVE-2022-29273 — CVSS 6.1 (medium): pfSense CE through 2.6.0 and pfSense Plus before 22.05 allow XSS in the WebGUI via URL Table Alias URL parameters.
CVE-2019-12949 — CVSS 6.1 (medium): In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page…
CVE-2014-4695 — CVSS 5.8 (medium): Multiple open redirect vulnerabilities in the Snort package before 3.0.13 for pfSense through 2.1.4 allow remote attackers to redirect…
CVE-2014-4696 — CVSS 5.8 (medium): Multiple open redirect vulnerabilities in the Suricata package before 1.0.6 for pfSense through 2.1.4 allow remote attackers to redirect…
CVE-2020-19201 — CVSS 5.4 (medium): A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate…
CVE-2020-11457 — CVSS 5.4 (medium): pfSense before 2.4.5 has stored XSS in system_usermanager_addprivs.php in the WebGUI via the descr parameter (aka full name) of a user.
CVE-2020-19203 — CVSS 5.4 (medium): An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense…
CVE-2023-42325 — CVSS 5.4 (medium): Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the…
CVE-2023-42327 — CVSS 5.4 (medium): Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the…
CVE-2014-4689 — CVSS 5.0 (medium): Absolute path traversal vulnerability in pkg_edit.php in pfSense before 2.1.4 allows remote attackers to read arbitrary XML files via a…
CVE-2014-4690 — CVSS 5.0 (medium): Multiple directory traversal vulnerabilities in pfSense before 2.1.4 allow (1) remote attackers to read arbitrary .info files via a crafted…
CVE-2024-46538 — CVSS 4.8 (medium): A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted…
CVE-2015-2294 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web…
CVE-2014-4694 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in suricata_select_alias.php in the Suricata package before 1.0.6 for pfSense through…
CVE-2014-4687 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.1.4 allow remote attackers to inject arbitrary web script or HTML…
CVE-2014-4692 — CVSS 4.3 (medium): pfSense before 2.1.4, when HTTP is used, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it…
CVE-2015-6511 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2015-6510 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML…
CVE-2015-6509 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML…
CVE-2014-4693 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the Snort package before 3.0.13 for pfSense through 2.1.4 allow remote attackers to…
CVE-2015-6508 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the…
CVE-2015-4029 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the WebGUI in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or…