Opnsense
By the Year
In 2024 there have been 0 vulnerabilities in Opnsense . Last year Opnsense had 15 security vulnerabilities published. Right now, Opnsense is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 15 | 7.47 |
| 2022 | 0 | 0.00 |
| 2021 | 2 | 6.10 |
| 2020 | 0 | 0.00 |
| 2019 | 2 | 6.85 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Opnsense vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Opnsense Security Vulnerabilities
DECISO OPNsense 23.1 does not impose rate limits for authentication
CVE-2023-27152
9.8 - Critical
- October 23, 2023
DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.
Improper Restriction of Excessive Authentication Attempts
OPNsense before 23.7.5
CVE-2023-44275
5.4 - Medium
- September 28, 2023
OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard.
XSS
OPNsense before 23.7.5
CVE-2023-44276
5.4 - Medium
- September 28, 2023
OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard.
XSS
A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2
CVE-2023-39000
6.1 - Medium
- August 09, 2023
A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path.
XSS
OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.
CVE-2023-39003
7.5 - High
- August 09, 2023
OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.
Incorrect Permission Assignment for Critical Resource
Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2
CVE-2023-39004
9.8 - Critical
- August 09, 2023
Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation.
Incorrect Permission Assignment for Critical Resource
Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2.
CVE-2023-39005
7.5 - High
- August 09, 2023
Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2.
Incorrect Permission Assignment for Critical Resource
A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2
CVE-2023-38997
7.2 - High
- August 09, 2023
A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive.
Directory traversal
An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2
CVE-2023-38998
6.1 - Medium
- August 09, 2023
An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.
Open Redirect
A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2
CVE-2023-38999
6.5 - Medium
- August 09, 2023
A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
Session Riding
A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2
CVE-2023-39001
9.8 - Critical
- August 09, 2023
A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file.
Command Injection
A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2
CVE-2023-39002
6.1 - Medium
- August 09, 2023
A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
XSS
The Crash Reporter (crash_reporter.php) component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 mishandles input sanitization.
CVE-2023-39006
5.4 - Medium
- August 09, 2023
The Crash Reporter (crash_reporter.php) component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 mishandles input sanitization.
XSS
A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2
CVE-2023-39008
9.8 - Critical
- August 09, 2023
A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands.
Command Injection
/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2
CVE-2023-39007
9.6 - Critical
- August 09, 2023
/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.
XSS
A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4
CVE-2021-42770
6.1 - Medium
- November 08, 2021
A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester.
XSS
An open redirect issue was discovered in OPNsense through 20.1.5
CVE-2020-23015
6.1 - Medium
- May 03, 2021
An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.
Open Redirect
OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.
CVE-2018-18958
6.5 - Medium
- June 17, 2019
OPNsense 18.7.x before 18.7.7 has Incorrect Access Control.
Authorization
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3
CVE-2019-11816
7.2 - High
- May 20, 2019
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
