jim-p

13 exploits Active since Jun 2019
CVE-2019-12584 WRITEUP MEDIUM WRITEUP
Apcupsd < 2.4.4 - XSS
Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.
CVSS 6.1
CVE-2019-12585 WRITEUP CRITICAL WRITEUP
Apcupsd < 2.4.4 - OS Command Injection
Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.
CVSS 9.8
CVE-2019-16914 WRITEUP MEDIUM WRITEUP
Netgate Pfsense < 2.4.4 - XSS
An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization.
CVSS 6.1
CVE-2019-16915 WRITEUP CRITICAL WRITEUP
Netgate Pfsense < 2.4.4 - Path Traversal
An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.
CVSS 9.8
CVE-2019-18667 WRITEUP MEDIUM WRITEUP
freeradius3 <0.15.7.3 - XSS
/usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD allows a user with an XSS payload as password or username to execute arbitrary javascript code on a victim browser.
CVSS 6.1
CVE-2020-10797 WRITEUP MEDIUM WRITEUP
pfsense <2.4.5 - XSS
An XSS vulnerability resides in the hostname field of the diag_ping.php page in pfsense before 2.4.5 version. After passing inputs to the command and executing this command, the $result variable is not sanitized before it is printed.
CVSS 6.1
CVE-2020-21219 WRITEUP MEDIUM WRITEUP
Netgate Acme - XSS
Cross Site Scripting (XSS) vulnerability in Netgate pf Sense 2.4.4-Release-p3 and Netgate ACME package 0.6.3 allows remote attackers to to run arbitrary code via the RootFolder field to acme_certificate_edit.php page of the ACME package.
CVSS 6.1
CVE-2020-21487 WRITEUP CRITICAL WRITEUP
Netgate Pfsense - XSS
Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php.
CVSS 9.6
CVE-2020-26693 WRITEUP MEDIUM WRITEUP
pfSense 2.4.5-p1 - XSS
A stored cross-site scripting (XSS) vulnerability was discovered in pfSense 2.4.5-p1 which allows an authenticated attacker to execute arbitrary web scripts via exploitation of the load_balancer_monitor.php function.
CVSS 5.4
CVE-2022-23993 WRITEUP MEDIUM WRITEUP
pfSense CE <2.6.0 - pfSense Plus <22.01 - XSS
/usr/local/www/pkg.php in pfSense CE before 2.6.0 and pfSense Plus before 22.01 uses $_REQUEST['pkg_filter'] in a PHP echo call, causing XSS.
CVSS 6.1
CVE-2022-42247 WRITEUP MEDIUM WRITEUP
Pfsense - XSS
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVSS 6.1
CVE-2025-12490 WRITEUP HIGH WRITEUP
Netgate pfSense CE - Path Traversal
Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Netgate pfSense. Authentication is required to exploit this vulnerability. The specific flaw exists within the Suricata package. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create files in the context of root. Was ZDI-CAN-28085.
CVSS 8.8
CVE-2025-34172 WRITEUP MEDIUM WRITEUP
Pfsense < 2.8.0 - XSS
In pfSense CE /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.
CVSS 6.1