Vulnerability Description
An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netgate | Pfsense | < 2.4.5 |
Related Weaknesses (CWE)
References
- https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-new-features-and-changRelease NotesVendor Advisory
- https://github.com/pfsense/pfsense/commit/cc3990a334059018b004c91eeb66c147d8afe8PatchThird Party Advisory
- https://redmine.pfsense.org/issues/10355Issue TrackingThird Party Advisory
- https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-new-features-and-changRelease NotesVendor Advisory
- https://github.com/pfsense/pfsense/commit/cc3990a334059018b004c91eeb66c147d8afe8PatchThird Party Advisory
- https://redmine.pfsense.org/issues/10355Issue TrackingThird Party Advisory
FAQ
What is CVE-2020-10797?
CVE-2020-10797 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is no...
How severe is CVE-2020-10797?
CVE-2020-10797 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-10797?
Check the references section above for vendor advisories and patch information. Affected products include: Netgate Pfsense.