CVE-2014-4688

Name of the Vulnerable Software and Affected Versions pfSense versions prior to 2.1.4

Description The issue allows remote authenticated users to execute arbitrary commands. This can be achieved through various means, including the hostname value to "diag dns.php" in a Create Alias action, the smartmonemail value to "diag smart.php", or the database value to "status rrd graph img.php".

Recommendations For versions prior to 2.1.4, update to version 2.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected PHP files, such as "diag dns.php", "diag smart.php", and "status rrd graph img.php", until a patch is applied. Additionally, restrict the use of the smartmonemail and database variables in the respective API endpoints to minimize the risk of exploitation.