cbcvebase.
CVE-2023-42327
published 2023-11-14

CVE-2023-42327: Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the…

PriorityP337medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
55.36%
98.9th percentile
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

Affected

1 ranges
VendorProductVersion rangeFixed in
netgatepfsense

Detection & IOCsextracted from sources · hover to see the quote

url/getserviceproviders.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - getservicesproviders.php connection parameter (CVE-2023-42327)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getserviceproviders.php"; fast_pattern; http.request_body; content:"__csrf_magic|3d|"; startswith; content:"connection|3d|"; content:"|22 3b|"; within:50; content:"|2f 2f|"; within:150; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42327; classtype:attempted-admin; sid:2049666; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_12, cve CVE_2023_42327, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_03; target:dest_ip;)
bytes
__csrf_magic=
  • Exploit requires an HTTP POST request to /getserviceproviders.php; the request body begins with the CSRF magic token field (__csrf_magic=) followed by a 'connection' parameter containing XSS payload markers (|22 3b| = "; and |2f 2f| = //) within 150 bytes.
  • Shodan-discoverable pfSense instances running versions older than pfSense Plus 23.09 or pfSense CE 2.7.1 remain vulnerable; use version fingerprinting to identify exposed assets.
  • Snort/Suricata SID 2049666 (ET rule, rev:2) covers this CVE; ensure it is enabled on perimeter, internal, and SSL-decrypting sensors.
  • ·The command injection stage (CVE-2023-42326) additionally requires the attacker to have or hijack an account with interface editing permissions, which is why the XSS chain is necessary.
  • ·SSL inspection must be enabled on sensors for the Snort/Suricata rule (SID 2049666) to be effective against HTTPS-protected pfSense admin interfaces.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.