Dharmesh Baskaran

#16558of 53,630
16.2Total CVSS
Vulnerabilities · 3
Medium
3
PT-2021-10306
5.4
2021-07-12
Netgate · Pfsense · CVE-2020-19201
Name of the Vulnerable Software and Affected Versions: Netgate pfSense versions 2.4.4-p2 and earlier Description: A Stored Cross-Site Scripting (XSS) issue was found in the status filter reload.php page of the pfSense software WebGUI. The page did not properly encode output from the filter reload process, allowing a stored XSS attack via the `descr` parameter on NAT rules. Recommendations: For Netgate pfSense versions 2.4.4-p2 and earlier, update to a version that includes the fix for this issue to prevent stored XSS attacks. As a temporary workaround, consider restricting access to the status filter reload.php page and avoiding the use of the `descr` parameter on NAT rules until a patch is available.
PT-2021-10309
5.4
2021-07-12
Ipfire · Ipfire · CVE-2020-19204
Name of the Vulnerable Software and Affected Versions: IPFire version 2.21 (x86 64) - Core Update 130 Description: A Stored Cross-Site Scripting (XSS) issue exists, allowing an authenticated WebGUI user to execute Stored Cross-site Scripting in the Routing Table Entries via the "Remark" text box or `remark` parameter in the "routing.cgi" Routing Table Entries. Recommendations: For IPFire version 2.21 (x86 64) - Core Update 130, as a temporary workaround, consider restricting access to the "routing.cgi" Routing Table Entries or avoiding the use of the `remark` parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2021-10307
5.4
2021-06-17
Ipfire · Ipfire · CVE-2020-19202
Name of the Vulnerable Software and Affected Versions: IPFire version 2.21 (x86 64) - Core Update 130 Description: The issue is related to an authenticated Stored XSS (Cross-site Scripting) in the Captive Portal page. This occurs via the `TITLE` parameter or the "Title of Login Page" text box in the "captive.cgi" Captive Portal. It allows an authenticated WebGUI user with privileges to execute Stored Cross-site Scripting. Recommendations: For IPFire version 2.21 (x86 64) - Core Update 130, consider restricting access to the Captive Portal page until a fix is available. As a temporary workaround, avoid using the `TITLE` parameter in the "captive.cgi" Captive Portal to minimize the risk of exploitation.