CVE-2024-57273 — Cross-site Scripting in Pfsense CE

CWE-79 — Cross-site Scripting2 documents2 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 54.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgate Pfsense CE Netgate Pfsense Plus

Timeline

PublishedMay 14

Description

Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized "reason" field and a derivable device key generated from the public SSH key.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDnetgate/pfsense_plus< 25.03

▶NVDnetgate/pfsense_ce< 2.8.0

🔴Vulnerability Details

GHSA

GHSA-v5vr-7qc6-xw56: Netgate pfSense CE (prior to 2↗2025-05-14

▶