CVE-2024-54780

Name of the Vulnerable Software and Affected Versions: pfSense CE versions prior to 2.8.0 beta release corresponding Plus builds versions prior to 2.8.0 beta release

Description: The issue is related to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface. An authenticated attacker can exploit this by injecting arbitrary OpenVPN management commands via the remipp parameter.

Recommendations: For pfSense CE versions prior to 2.8.0 beta release, update to version 2.8.0 beta or later to resolve the issue. For corresponding Plus builds versions prior to 2.8.0 beta release, update to version 2.8.0 beta or later to resolve the issue. As a temporary workaround, consider restricting access to the OpenVPN management interface to minimize the risk of exploitation.