CVE-2019-12347
CVE-2019-12347
In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.
Affected products
n/a · n/apublic PoCs found — 2
cve_referencepacketstormsecurity.com/files/153112/pfSense-2.4.4-p3-Cross-Site-Scripting.htmlunverifiedexploitdbwww.exploit-db.com/exploits/46936unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/153112/pfSense-2.4.4-p3-Cross-Site-Scripting.htmlhttps://ctrsec.io/index.php/2019/05/28/stored-xss-acme-pfsense-2-4-4-p3/https://github.com/pfsense/FreeBSD-ports/commit/504909564079e540689dbdbed3a579483c614275https://redmine.pfsense.org/issues/9554#change-40729https://www.pfsense.org/download/