Pfsense
By the Year
In 2024 there have been 0 vulnerabilities in Pfsense . Last year Pfsense had 5 security vulnerabilities published. Right now, Pfsense is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 5 | 7.84 |
| 2022 | 4 | 6.78 |
| 2021 | 4 | 5.58 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Pfsense vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Pfsense Security Vulnerabilities
An issue discovered in Pfsense CE version 2.6.0
CVE-2023-29975
7.2 - High
- November 09, 2023
An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without verification.
authentification
An issue discovered in Pfsense CE version 2.6.0
CVE-2023-29974
9.8 - Critical
- November 08, 2023
An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password requirements.
Weak Password Requirements
Pfsense CE version 2.6.0 is vulnerable to No rate limit
CVE-2023-29973
4.9 - Medium
- October 25, 2023
Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.
Allocation of Resources Without Limits or Throttling
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1
CVE-2020-19678
7.5 - High
- April 06, 2023
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
Directory traversal
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0
CVE-2023-27100
9.8 - Critical
- March 22, 2023
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
Improper Restriction of Excessive Authentication Attempts
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component
CVE-2022-42247
6.1 - Medium
- October 03, 2022
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
XSS
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier)
CVE-2021-20729
6.1 - Medium
- March 31, 2022
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.
XSS
diag_routes.php in pfSense 2.5.2 allows sed data injection
CVE-2021-41282
8.8 - High
- March 01, 2022
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
Injection
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call
CVE-2022-23993
6.1 - Medium
- January 26, 2022
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS.
XSS
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php
CVE-2020-19203
5.4 - Medium
- July 12, 2021
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.
XSS
A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php
CVE-2020-19201
5.4 - Medium
- July 12, 2021
A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.
XSS
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which
CVE-2020-26693
5.4 - Medium
- June 01, 2021
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function.
XSS
pfSense 2.5.0 allows XSS
CVE-2021-27933
6.1 - Medium
- April 28, 2021
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.
XSS
