CVE-2015-2294
N/A
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable parameter to firewall_rules.php; (4) queue parameter in an add action to firewall_shaper.php; (5) id parameter in an edit action to services_unbound_acls.php; or (6) filterlogentries_time, (7) filterlogentries_sourceipaddress, (8) filterlogentries_sourceport, (9) filterlogentries_destinationipaddress, (10) filterlogentries_interfaces, (11) filterlogentries_destinationport, (12) filterlogentries_protocolflags, or (13) filterlogentries_qty parameter to diag_logs_filter.php.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://www.securityfocus.com/archive/1/534987/100/0/threaded
- http://packetstormsecurity.com/files/131022/pfSense-2.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
- https://www.pfsense.org/security/advisories/pfSense-SA-15_03.webgui.asc
- http://www.securityfocus.com/bid/73344
- https://www.htbridge.com/advisory/HTB23251
- https://www.exploit-db.com/exploits/36506/
References
- http://www.securityfocus.com/archive/1/534987/100/0/threaded
- http://packetstormsecurity.com/files/131022/pfSense-2.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
- https://www.pfsense.org/security/advisories/pfSense-SA-15_03.webgui.asc
- http://www.securityfocus.com/bid/73344
- https://www.htbridge.com/advisory/HTB23251
- https://www.exploit-db.com/exploits/36506/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.