CVE-2018-4020OS Command Injection in Pfsense

CWE-78OS Command Injection2 documents2 sources
Severity
7.2HIGHNVD
EPSS
84.2%
top 0.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Netgate PfsenseNetgate Pfsense
Timeline
PublishedDec 3
Latest updateMay 13

Description

An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_ac_mode` POST parameter parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDnetgate/pfsense2.4.4
CVEListV5netgate/netgate_pfsenseNetgate pfSense CE 2.4.4-RELEASE

🔴Vulnerability Details

1
GHSA
GHSA-7fj2-qj5r-2prf: An exploitable command injection vulnerability exists in the way Netgate pfSense CE 22022-05-13
CVE-2018-4020 — OS Command Injection in Netgate Pfsense | cvebase