cbcvebase.
CVE-2023-42325
published 2023-11-14

CVE-2023-42325: Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the…

PriorityP337medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
57.92%
99.0th percentile
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.

Affected

1 ranges
VendorProductVersion rangeFixed in
netgatepfsense

Detection & IOCsextracted from sources · hover to see the quote

url/status_logs_filter_dynamic.php?filtersubmit|3d|1&interface|3d|
path/status_logs_filter_dynamic.php
bytes
|22 3b|
bytes
|2f 2f|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - Firewall Logs Dynamic View (CVE-2023-42325)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/status_logs_filter_dynamic.php?filtersubmit|3d|1&interface|3d|"; fast_pattern; content:"|22 3b|"; within:50; content:"|2f 2f|"; within:150; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42325; classtype:attempted-admin; sid:2049663; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_12, cve CVE_2023_42325, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_03; target:dest_ip;)
  • The XSS attack targets the `interface` parameter in a GET request to `/status_logs_filter_dynamic.php`. The Snort/ET rule triggers on the URI pattern containing `filtersubmit=1&interface=` (URL-encoded as `|3d|`), followed within 50 bytes by `";` (|22 3b|) and within 150 bytes by `//` (|2f 2f|), characteristic of injected JavaScript payload delimiters.
  • Shodan-discoverable pfSense instances not running pfSense Plus 23.09 or pfSense CE 2.7.1 remain vulnerable. Use Shodan or similar to identify exposed instances in your IP space for prioritized patching.
  • ·The ET Snort rule (sid:2049663) is classified for Perimeter, Internal, and SSLDecrypt deployments. SSL inspection must be enabled to detect this attack over HTTPS, as pfSense web UIs are typically HTTPS-only.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.