Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-4688 — Pfsense vulnerability

4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
1.9%
top 16.96%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Netgate Pfsense
Timeline
PublishedJul 2
Latest updateMay 14

Description

pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages1 packages

â–¶NVDnetgate/pfsense2.1.3

🔴Vulnerability Details

1
GHSA
GHSA-c652-g9jm-xmrh: pfSense before 2↗2022-05-14
â–¶

💥Exploits & PoCs

1
Exploit-DB
pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection↗2018-01-15
â–¶

📄Research Papers

1
CTF
easy / README↗
â–¶
CVE-2014-4688 — Netgate Pfsense vulnerability | cvebase