CVE-2023-42325
published 2023-11-14CVE-2023-42325: Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the…
PriorityP337medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
57.92%
99.0th percentile
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgate | pfsense | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/status_logs_filter_dynamic.php?filtersubmit|3d|1&interface|3d|
bytes
|22 3b|
bytes
|2f 2f|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - Firewall Logs Dynamic View (CVE-2023-42325)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/status_logs_filter_dynamic.php?filtersubmit|3d|1&interface|3d|"; fast_pattern; content:"|22 3b|"; within:50; content:"|2f 2f|"; within:150; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42325; classtype:attempted-admin; sid:2049663; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_12, cve CVE_2023_42325, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_03; target:dest_ip;)
- →The XSS attack targets the `interface` parameter in a GET request to `/status_logs_filter_dynamic.php`. The Snort/ET rule triggers on the URI pattern containing `filtersubmit=1&interface=` (URL-encoded as `|3d|`), followed within 50 bytes by `";` (|22 3b|) and within 150 bytes by `//` (|2f 2f|), characteristic of injected JavaScript payload delimiters.
- →Shodan-discoverable pfSense instances not running pfSense Plus 23.09 or pfSense CE 2.7.1 remain vulnerable. Use Shodan or similar to identify exposed instances in your IP space for prioritized patching. ↗
- ·The ET Snort rule (sid:2049663) is classified for Perimeter, Internal, and SSLDecrypt deployments. SSL inspection must be enabled to detect this attack over HTTPS, as pfSense web UIs are typically HTTPS-only.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - Firewall Logs Dynamic View (CVE-2023-42325)
suricata·2023-12-12·CVSS 5.4
CVE-2023-42325 [MEDIUM] ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - Firewall Logs Dynamic View (CVE-2023-42325)
ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - Firewall Logs Dynamic View (CVE-2023-42325)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - Firewall Logs Dynamic View (CVE-2023-42325)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/status_logs_filter_dynamic.php?filtersubmit|3d|1&interface|3d|"; fast_pattern; content:"|22 3b|"; within:50; content:"|2f 2f|"; within:150; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42325; classtype:attempted-admin; sid:2049663; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_12, cve CVE_2023_42325, deployment Perimeter, deployment Internal, deployment SSLDecry
No public exploits indexed.
2023-11-14
Published