CVE-2023-42327 — Cross-site Scripting in Pfsense

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

48.3%

top 2.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgate Pfsense

Timeline

PublishedNov 14

Latest updateDec 12

Description

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDnetgate/pfsense2.7.0

🔴Vulnerability Details

CVEList

CVE-2023-42327: Cross Site Scripting (XSS) vulnerability in Netgate pfSense v↗2023-11-14

▶

GHSA

GHSA-843q-mqjv-hhh4: Cross Site Scripting (XSS) vulnerability in Netgate pfSense v↗2023-11-14

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - getservicesproviders.php connection parameter (CVE-2023-42327)↗2023-12-12

▶

🕵️Threat Intelligence

Bleepingcomputer

Over 1,450 pfSense servers exposed to RCE attacks via bug chain↗2023-12-12

▶