Feliks Penconek

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** The issue is an open redirect in the Login page of OPNsense, allowing attackers to redirect a victim user to an arbitrary web site via a crafted URL. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** A Cross-Site Request Forgery (CSRF) issue in the System Halt API at the "/system/halt" endpoint allows attackers to cause a Denial of Service (DoS) via a crafted GET request. This issue can be exploited by sending a specifically designed request to the affected API endpoint. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later. As a temporary workaround, consider restricting access to the "/system/halt" API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** A reflected cross-site scripting (XSS) issue exists in the /ui/diagnostics/log/core/ component, allowing attackers to inject arbitrary JavaScript via the URL path. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later. As a temporary workaround, consider restricting access to the /ui/diagnostics/log/core/ component until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** A command injection issue in the diag backup.php component allows attackers to execute arbitrary commands via a crafted backup configuration file. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** A cross-site scripting (XSS) issue exists in the `act` parameter of `system certmanager.php`, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later. As a temporary workaround, consider restricting access to the `system certmanager.php` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** The issue is related to insecure permissions in the directory /tmp. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** The issue is related to insecure permissions in the configuration directory (/conf/) of OPNsense, allowing attackers to access sensitive information, such as the hashed root password, which could lead to privilege escalation. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** The issue is related to insecure permissions for configd.socket. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** The issue is related to the Crash Reporter component, specifically the crash reporter.php file, which mishandles input sanitization. This could potentially lead to security issues due to improper handling of user input. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later to resolve the issue. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** The issue allows for XSS via the `openAction` in the `app/controllers/OPNsense/Cron/ItemController.php` file, specifically in the `/ui/cron/item/open` endpoint of the Cron component. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later. As a temporary workaround, consider restricting access to the `/ui/cron/item/open` endpoint in the Cron component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** A command injection issue in the "/api/cron/settings/setJob/" component allows attackers to execute arbitrary system commands. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later. As a temporary workaround, consider restricting access to the "/api/cron/settings/setJob/" API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OPNsense Community Edition versions prior to 23.7 OPNsense Business Edition versions prior to 23.4.2 **Description** A directory traversal vulnerability exists in the Captive Portal templates of OPNsense, allowing attackers to execute arbitrary system commands as root via a crafted ZIP archive. This issue arises due to incorrect restriction of the directory path name with limited access. Exploitation of this vulnerability may enable a remote attacker to execute arbitrary commands with root privileges using a specially crafted ZIP archive. **Recommendations** For OPNsense Community Edition versions prior to 23.7, update to version 23.7 or later to resolve the issue. For OPNsense Business Edition versions prior to 23.4.2, update to version 23.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Captive Portal templates until a patch is available.