Vulnerability Description
A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netgate | Pfsense | <= 2.4.4 |
Related Weaknesses (CWE)
References
- https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-p3.htmlProductVendor Advisory
- https://gist.github.com/dharmeshbaskaran/fd3779006361d07651a883e8a040d916ExploitThird Party Advisory
- https://www.pfsense.org/download/Vendor Advisory
- https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-p3.htmlProductVendor Advisory
- https://gist.github.com/dharmeshbaskaran/fd3779006361d07651a883e8a040d916ExploitThird Party Advisory
- https://www.pfsense.org/download/Vendor Advisory
FAQ
What is CVE-2020-19201?
CVE-2020-19201 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode...
How severe is CVE-2020-19201?
CVE-2020-19201 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-19201?
Check the references section above for vendor advisories and patch information. Affected products include: Netgate Pfsense.