CVE-2024-54780Code Injection in Pfsense CE

CWE-94Code Injection2 documents2 sources
Severity
8.8HIGHNVD
EPSS
8.1%
top 7.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Netgate Pfsense CENetgate Pfsense Plus
Timeline
PublishedMay 14

Description

Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface. An authenticated attacker can exploit this vulnerability by injecting arbitrary OpenVPN management commands via the remipp parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDnetgate/pfsense_ce< 2.8.0

Patches

Patch: www.netgate.com

🔴Vulnerability Details

1
GHSA
GHSA-fx6v-jrpq-f762: Netgate pfSense CE (prior to 22025-05-14
CVE-2024-54780 — Code Injection in Netgate Pfsense CE | cvebase