Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for pfSense CE and pfSense Plus by pfSense

    CVE-2022-26019 (GCVE-0-2022-26019)

    Vulnerability from nvd – Published: 2022-03-31 07:21 – Updated: 2024-08-03 04:56
    VLAI
    Summary
    Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.
    Severity
    No CVSS data available.
    CWE
    • Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    pfSense pfSense CE and pfSense Plus Affected: pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:56:37.518Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pfSense CE and pfSense Plus",
              "vendor": "pfSense",
              "versions": [
                {
                  "status": "affected",
                  "version": "pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-31T07:21:31.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2022-26019",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "pfSense CE and pfSense Plus",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "pfSense"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jvn.jp/en/jp/JVN87751554/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
                },
                {
                  "name": "https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc",
                  "refsource": "MISC",
                  "url": "https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2022-26019",
        "datePublished": "2022-03-31T07:21:31.000Z",
        "dateReserved": "2022-03-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:56:37.518Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24299 (GCVE-0-2022-24299)

    Vulnerability from nvd – Published: 2022-03-31 07:21 – Updated: 2024-08-03 04:07
    VLAI
    Summary
    Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.
    Severity
    No CVSS data available.
    CWE
    • Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pfSense pfSense CE and pfSense Plus Affected: pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:07:02.366Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pfSense CE and pfSense Plus",
              "vendor": "pfSense",
              "versions": [
                {
                  "status": "affected",
                  "version": "pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-31T07:21:07.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2022-24299",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "pfSense CE and pfSense Plus",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "pfSense"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jvn.jp/en/jp/JVN87751554/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
                },
                {
                  "name": "https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc",
                  "refsource": "MISC",
                  "url": "https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2022-24299",
        "datePublished": "2022-03-31T07:21:07.000Z",
        "dateReserved": "2022-03-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:07:02.366Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-20729 (GCVE-0-2021-20729)

    Vulnerability from nvd – Published: 2022-03-31 07:20 – Updated: 2024-08-03 17:53
    VLAI
    Summary
    Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.
    Severity
    No CVSS data available.
    CWE
    • Cross-site scripting
    Assigner
    References
    Impacted products
    Vendor Product Version
    pfSense pfSense CE and pfSense Plus Affected: pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:53:21.921Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pfSense CE and pfSense Plus",
              "vendor": "pfSense",
              "versions": [
                {
                  "status": "affected",
                  "version": "pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-31T07:20:29.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2021-20729",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "pfSense CE and pfSense Plus",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "pfSense"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc",
                  "refsource": "MISC",
                  "url": "https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc"
                },
                {
                  "name": "https://jvn.jp/en/jp/JVN87751554/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2021-20729",
        "datePublished": "2022-03-31T07:20:29.000Z",
        "dateReserved": "2020-12-17T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:53:21.921Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-26019 (GCVE-0-2022-26019)

    Vulnerability from cvelistv5 – Published: 2022-03-31 07:21 – Updated: 2024-08-03 04:56
    VLAI
    Summary
    Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.
    Severity
    No CVSS data available.
    CWE
    • Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    pfSense pfSense CE and pfSense Plus Affected: pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:56:37.518Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pfSense CE and pfSense Plus",
              "vendor": "pfSense",
              "versions": [
                {
                  "status": "affected",
                  "version": "pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-31T07:21:31.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2022-26019",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "pfSense CE and pfSense Plus",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "pfSense"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jvn.jp/en/jp/JVN87751554/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
                },
                {
                  "name": "https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc",
                  "refsource": "MISC",
                  "url": "https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2022-26019",
        "datePublished": "2022-03-31T07:21:31.000Z",
        "dateReserved": "2022-03-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:56:37.518Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24299 (GCVE-0-2022-24299)

    Vulnerability from cvelistv5 – Published: 2022-03-31 07:21 – Updated: 2024-08-03 04:07
    VLAI
    Summary
    Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.
    Severity
    No CVSS data available.
    CWE
    • Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pfSense pfSense CE and pfSense Plus Affected: pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:07:02.366Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pfSense CE and pfSense Plus",
              "vendor": "pfSense",
              "versions": [
                {
                  "status": "affected",
                  "version": "pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-31T07:21:07.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2022-24299",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "pfSense CE and pfSense Plus",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "pfSense"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jvn.jp/en/jp/JVN87751554/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
                },
                {
                  "name": "https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc",
                  "refsource": "MISC",
                  "url": "https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2022-24299",
        "datePublished": "2022-03-31T07:21:07.000Z",
        "dateReserved": "2022-03-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:07:02.366Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-20729 (GCVE-0-2021-20729)

    Vulnerability from cvelistv5 – Published: 2022-03-31 07:20 – Updated: 2024-08-03 17:53
    VLAI
    Summary
    Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.
    Severity
    No CVSS data available.
    CWE
    • Cross-site scripting
    Assigner
    References
    Impacted products
    Vendor Product Version
    pfSense pfSense CE and pfSense Plus Affected: pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:53:21.921Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pfSense CE and pfSense Plus",
              "vendor": "pfSense",
              "versions": [
                {
                  "status": "affected",
                  "version": "pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-31T07:20:29.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2021-20729",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "pfSense CE and pfSense Plus",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "pfSense"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc",
                  "refsource": "MISC",
                  "url": "https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc"
                },
                {
                  "name": "https://jvn.jp/en/jp/JVN87751554/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN87751554/index.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2021-20729",
        "datePublished": "2022-03-31T07:20:29.000Z",
        "dateReserved": "2020-12-17T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:53:21.921Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }