Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Opnsense
(Opnsense)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 19 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2023-08-09 | CVE-2023-38997 | A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive. | Opnsense | 7.2 | ||
2023-10-23 | CVE-2023-27152 | DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication. | Opnsense | 9.8 | ||
2023-08-09 | CVE-2023-38998 | An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL. | Opnsense | 6.1 | ||
2023-08-09 | CVE-2023-38999 | A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | Opnsense | 6.5 | ||
2023-08-09 | CVE-2023-39000 | A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path. | Opnsense | 6.1 | ||
2023-08-09 | CVE-2023-39001 | A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file. | Opnsense | 9.8 | ||
2023-08-09 | CVE-2023-39002 | A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | Opnsense | 6.1 | ||
2023-08-09 | CVE-2023-39003 | OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp. | Opnsense | 7.5 | ||
2023-08-09 | CVE-2023-39004 | Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation. | Opnsense | 9.8 | ||
2023-08-09 | CVE-2023-39005 | Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2. | Opnsense | 7.5 |