CVE-2019-16915

Name of the Vulnerable Software and Affected Versions pfSense versions prior to 2.4.4-p3

Description An issue was discovered where the widgetkey parameter in widgets/widgets/picture.widget.php is used directly without sanitization for a pathname to file get contents or file put contents.

Recommendations For versions prior to 2.4.4-p3, consider updating to a version that includes the necessary sanitization for the widgetkey parameter to prevent potential exploitation. As a temporary workaround, consider restricting access to the picture.widget.php file until a patch is available.