PT-2022-8638 · Netgate · Pfsense+1

Published

2022-12-15

Updated

2022-12-19

CVE-2020-21219

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Netgate pfSense version 2.4.4-Release-p3 Netgate ACME package version 0.6.3

Description A Cross Site Scripting (XSS) issue allows remote attackers to run arbitrary code via the RootFolder field to the "acme certificate edit.php" page of the ACME package. This enables attackers to execute malicious scripts on the affected system.

Recommendations For Netgate pfSense version 2.4.4-Release-p3, update the Netgate ACME package to a version that fixes the XSS vulnerability. For Netgate ACME package version 0.6.3, consider disabling access to the "acme certificate edit.php" page until a patch is available. As a temporary workaround, restrict input to the RootFolder field to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-21219

Affected Products

Acme Package

Pfsense

PT-2022-8638 · Netgate · Pfsense+1

CVE-2020-21219

Weakness Enumeration

Related Identifiers

Affected Products

References · 7