Pfsense Pfsense

  1. Vendors
  2. Pfsense
Do you want an email whenever new security vulnerabilities are reported in any Pfsense product?

Products by Pfsense Sorted by Most Security Vulnerabilities since 2018

Pfsense13 vulnerabilities

Pfsense Pfblockerng1 vulnerability

Pfsense Pkg Freeradius31 vulnerability

Pfsense Pkg Wireguard1 vulnerability

Pfsense Plus1 vulnerability

Pfsense Suricata Package1 vulnerability

By the Year

In 2024 there have been 0 vulnerabilities in Pfsense . Last year Pfsense had 5 security vulnerabilities published. Right now, Pfsense is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 5 7.84
2022 6 7.23
2021 4 5.58
2020 0 0.00
2019 1 6.10
2018 0 0.00

It may take a day or so for new Pfsense vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Pfsense Security Vulnerabilities

An issue discovered in Pfsense CE version 2.6.0

CVE-2023-29975 7.2 - High - November 09, 2023

An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification.

authentification

An issue discovered in Pfsense CE version 2.6.0

CVE-2023-29974 9.8 - Critical - November 08, 2023

An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements.

Weak Password Requirements

Pfsense CE version 2.6.0 is vulnerable to No rate limit

CVE-2023-29973 4.9 - Medium - October 25, 2023

Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.

Allocation of Resources Without Limits or Throttling

Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1

CVE-2020-19678 7.5 - High - April 06, 2023

Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.

Directory traversal

Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0

CVE-2023-27100 9.8 - Critical - March 22, 2023

Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.

Improper Restriction of Excessive Authentication Attempts

pfSense pfBlockerNG through 2.1.4_27

CVE-2022-40624 9.8 - Critical - December 20, 2022

pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.

Shell injection

pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component

CVE-2022-42247 6.1 - Medium - October 03, 2022

pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.

XSS

Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier)

CVE-2021-20729 6.1 - Medium - March 31, 2022

Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.

XSS

Directory traversal vulnerability in pfSense-pkg-WireGuard pfSense-pkg-WireGuard 0.1.5 versions prior to 0.1.5_4 and pfSense-pkg-WireGuard 0.1.6 versions prior to 0.1.6_1

CVE-2022-21132 6.5 - Medium - March 10, 2022

Directory traversal vulnerability in pfSense-pkg-WireGuard pfSense-pkg-WireGuard 0.1.5 versions prior to 0.1.5_4 and pfSense-pkg-WireGuard 0.1.6 versions prior to 0.1.6_1 allows a remote authenticated attacker to lead a pfSense user to view a file outside the public folder.

Directory traversal

diag_routes.php in pfSense 2.5.2 allows sed data injection

CVE-2021-41282 8.8 - High - March 01, 2022

diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.

Injection

/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call

CVE-2022-23993 6.1 - Medium - January 26, 2022

/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS.

XSS

An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php

CVE-2020-19203 5.4 - Medium - July 12, 2021

An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.

XSS

A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php

CVE-2020-19201 5.4 - Medium - July 12, 2021

A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.

XSS

A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which

CVE-2020-26693 5.4 - Medium - June 01, 2021

A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function.

XSS

pfSense 2.5.0 allows XSS

CVE-2021-27933 6.1 - Medium - April 28, 2021

pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.

XSS

/usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD

CVE-2019-18667 6.1 - Medium - November 02, 2019

/usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD allows a user with an XSS payload as password or username to execute arbitrary javascript code on a victim browser.

XSS

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.