Vulnerability Description
In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.
CVSS Score
6.1
MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netgate | Pfsense | 2.4.4 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/153112/pfSense-2.4.4-p3-Cross-Site-ScriptinExploitThird Party AdvisoryVDB Entry
- https://ctrsec.io/index.php/2019/05/28/stored-xss-acme-pfsense-2-4-4-p3/ExploitPatchThird Party Advisory
- https://github.com/pfsense/FreeBSD-ports/commit/504909564079e540689dbdbed3a57948PatchThird Party Advisory
- https://redmine.pfsense.org/issues/9554#change-40729ExploitVendor Advisory
- https://www.pfsense.org/download/Vendor Advisory
- http://packetstormsecurity.com/files/153112/pfSense-2.4.4-p3-Cross-Site-ScriptinExploitThird Party AdvisoryVDB Entry
- https://ctrsec.io/index.php/2019/05/28/stored-xss-acme-pfsense-2-4-4-p3/ExploitPatchThird Party Advisory
- https://github.com/pfsense/FreeBSD-ports/commit/504909564079e540689dbdbed3a57948PatchThird Party Advisory
- https://redmine.pfsense.org/issues/9554#change-40729ExploitVendor Advisory
- https://www.pfsense.org/download/Vendor Advisory
FAQ
What is CVE-2019-12347?
CVE-2019-12347 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input...
How severe is CVE-2019-12347?
CVE-2019-12347 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12347?
Check the references section above for vendor advisories and patch information. Affected products include: Netgate Pfsense.