Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-12347 — Cross-site Scripting in Pfsense

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

73.7%

top 1.18%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Netgate Pfsense

Timeline

PublishedMay 29

Latest updateMay 24

Description

In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDnetgate/pfsense2.4.4

Patches

Patch: ctrsec.io ↗Patch: github.com ↗Patch: ctrsec.io ↗

🔴Vulnerability Details

GHSA

GHSA-mw9h-vpc6-gfx3: In pfSense 2↗2022-05-24

▶

💥Exploits & PoCs

Exploit-DB

pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting↗2019-05-29

▶