The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of pfSense

vulnerability alert CVE-2019-8936

NTP.org: NULL pointer dereference via Authenticated Mode 6

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via Authenticated Mode 6 of NTP.org, in order to trigger a denial of service.
Impacted products: Fedora, FreeBSD, Meinberg NTP Server, Data ONTAP, NTP.org, openSUSE Leap, pfSense, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: user account.
Creation date: 08/03/2019.
Identifiers: 3565, CVE-2019-8936, FEDORA-2019-694e3aa4e8, FEDORA-2019-f781d5c4c6, FreeBSD-SA-19:04.ntp, NTAP-20190503-0001, openSUSE-SU-2019:1143-1, openSUSE-SU-2019:1158-1, SSA:2019-067-01, SUSE-SU-2019:0775-1, SUSE-SU-2019:0777-1, SUSE-SU-2019:0789-1, SUSE-SU-2019:13991-1, SUSE-SU-2019:14004-1, VIGILANCE-VUL-28701.

Description of the vulnerability

An attacker can force a NULL pointer to be dereferenced via Authenticated Mode 6 of NTP.org, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-20798 CVE-2018-20799

pfSense: privilege escalation via SSHGUARD IP Blocking

Synthesis of the vulnerability

An attacker can bypass restrictions via SSHGUARD IP Blocking of pfSense, in order to escalate his privileges.
Impacted products: pfSense.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 04/03/2019.
Identifiers: CVE-2018-20798, CVE-2018-20799, VIGILANCE-VUL-28644.

Description of the vulnerability

An attacker can bypass restrictions via SSHGUARD IP Blocking of pfSense, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2019-8953

pfSense HAProxy: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of pfSense HAProxy, in order to run JavaScript code in the context of the web site.
Impacted products: pfSense.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 21/02/2019.
Identifiers: CVE-2019-8953, VIGILANCE-VUL-28578.

Description of the vulnerability

The pfSense HAProxy product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of pfSense HAProxy, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 28386

pfSense: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of pfSense, in order to run JavaScript code in the context of the web site.
Impacted products: pfSense.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 29/01/2019.
Identifiers: VIGILANCE-VUL-28386.

Description of the vulnerability

The pfSense product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of pfSense, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-4019 CVE-2018-4020 CVE-2018-4021

pfSense: privilege escalation via system_advanced_misc.php

Synthesis of the vulnerability

An attacker can bypass restrictions via system_advanced_misc.php of pfSense, in order to escalate his privileges.
Impacted products: pfSense.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 03/12/2018.
Identifiers: CVE-2018-4019, CVE-2018-4020, CVE-2018-4021, pfSense-SA-18_09.webgui, TALOS-2018-0690, VIGILANCE-VUL-27937.

Description of the vulnerability

An attacker can bypass restrictions via system_advanced_misc.php of pfSense, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-16055

pfSense: privilege escalation via dhcp_relinquish_lease

Synthesis of the vulnerability

An attacker can bypass restrictions via dhcp_relinquish_lease of pfSense, in order to escalate his privileges.
Impacted products: pfSense.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 03/12/2018.
Identifiers: CVE-2018-16055, pfSense-SA-18_08.webgui, VIGILANCE-VUL-27936.

Description of the vulnerability

An attacker can bypass restrictions via dhcp_relinquish_lease of pfSense, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 27935

pfSense: Cross Site Scripting via WebGUI

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via WebGUI of pfSense, in order to run JavaScript code in the context of the web site.
Impacted products: pfSense.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 03/12/2018.
Identifiers: pfSense-SA-18_07.webgui, VIGILANCE-VUL-27935.

Description of the vulnerability

The pfSense product offers a web service.

However, it does not filter received data via WebGUI before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via WebGUI of pfSense, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 27934

pfSense: Cross Site Scripting via WebGUI

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via WebGUI of pfSense, in order to run JavaScript code in the context of the web site.
Impacted products: pfSense.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 03/12/2018.
Identifiers: pfSense-SA-18_06.webgui, VIGILANCE-VUL-27934.

Description of the vulnerability

The pfSense product offers a web service.

However, it does not filter received data via WebGUI before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via WebGUI of pfSense, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-6925

FreeBSD: denial of service via IPv6 listen

Synthesis of the vulnerability

An attacker can generate a fatal error via IPv6 listen() of FreeBSD, in order to trigger a denial of service.
Impacted products: FreeBSD, pfSense.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 28/09/2018.
Identifiers: CVE-2018-6925, FreeBSD-EN-18:11.listen, pfSense-SA-18_09.webgui, VIGILANCE-VUL-27360.

Description of the vulnerability

An attacker can generate a fatal error via IPv6 listen() of FreeBSD, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-17154

FreeBSD: NULL pointer dereference via freebsd4_getfsstat

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via freebsd4_getfsstat() of FreeBSD, in order to trigger a denial of service.
Impacted products: FreeBSD, pfSense.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Creation date: 28/09/2018.
Identifiers: CVE-2018-17154, FreeBSD-EN-18:10.syscall, pfSense-SA-18_09.webgui, VIGILANCE-VUL-27359.

Description of the vulnerability

An attacker can force a NULL pointer to be dereferenced via freebsd4_getfsstat() of FreeBSD, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about pfSense: