CVE-2023-42327
published 2023-11-14CVE-2023-42327: Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the…
PriorityP337medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
55.36%
98.9th percentile
Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgate | pfsense | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/getserviceproviders.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - getservicesproviders.php connection parameter (CVE-2023-42327)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getserviceproviders.php"; fast_pattern; http.request_body; content:"__csrf_magic|3d|"; startswith; content:"connection|3d|"; content:"|22 3b|"; within:50; content:"|2f 2f|"; within:150; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42327; classtype:attempted-admin; sid:2049666; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_12, cve CVE_2023_42327, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_03; target:dest_ip;)
bytes
__csrf_magic=
- →Exploit requires an HTTP POST request to /getserviceproviders.php; the request body begins with the CSRF magic token field (__csrf_magic=) followed by a 'connection' parameter containing XSS payload markers (|22 3b| = "; and |2f 2f| = //) within 150 bytes.
- →Shodan-discoverable pfSense instances running versions older than pfSense Plus 23.09 or pfSense CE 2.7.1 remain vulnerable; use version fingerprinting to identify exposed assets. ↗
- →Snort/Suricata SID 2049666 (ET rule, rev:2) covers this CVE; ensure it is enabled on perimeter, internal, and SSL-decrypting sensors.
- ·The command injection stage (CVE-2023-42326) additionally requires the attacker to have or hijack an account with interface editing permissions, which is why the XSS chain is necessary. ↗
- ·SSL inspection must be enabled on sensors for the Snort/Suricata rule (SID 2049666) to be effective against HTTPS-protected pfSense admin interfaces.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - getservicesproviders.php connection parameter (CVE-2023-42327)
suricata·2023-12-12·CVSS 5.4
CVE-2023-42327 [MEDIUM] ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - getservicesproviders.php connection parameter (CVE-2023-42327)
ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - getservicesproviders.php connection parameter (CVE-2023-42327)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - getservicesproviders.php connection parameter (CVE-2023-42327)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getserviceproviders.php"; fast_pattern; http.request_body; content:"__csrf_magic|3d|"; startswith; content:"connection|3d|"; content:"|22 3b|"; within:50; content:"|2f 2f|"; within:150; reference:url,www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/; reference:cve,2023-42327; classtype:attempted-admin; sid:2049666; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_12_1
No public exploits indexed.
2023-11-14
Published