CVE-2019-12949

Name of the Vulnerable Software and Affected Versions pfSense versions 2.4.4-p2 through 2.4.4-p3

Description The issue allows an attacker to leverage XSS to upload arbitrary executable code to a server if an authenticated administrator can be tricked into clicking on a button on a phishing page. This can be done via diag command.php and rrd fetch json.php with the timePeriod parameter. The attacker can then run any command with root privileges on the server.

Recommendations For pfSense versions 2.4.4-p2 and 2.4.4-p3, consider restricting access to diag command.php and rrd fetch json.php until a patch is available. As a temporary workaround, avoid using the timePeriod parameter in the affected API endpoint until the issue is resolved.