CVE-2014-4690
pfSense < 2.1.3 - Path Traversal via pkg Parameter (Unauthenticated) and downloadbackup Parameter (Authenticated)
Title source: llmDescription
Multiple directory traversal vulnerabilities in pfSense before 2.1.4 allow (1) remote attackers to read arbitrary .info files via a crafted path in the pkg parameter to pkg_mgr_install.php and allow (2) remote authenticated users to read arbitrary files via the downloadbackup parameter to system_firmware_restorefullbackup.php.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://pfsense.org/security/advisories/pfSense-SA-14_11.webgui.asc
Scores
EPSS
0.0350
EPSS Percentile
87.7%
Details
CWE
CWE-22
Status
published
Products (1)
netgate/pfsense
< 2.1.3
Published
Jul 02, 2014
Tracked Since
Feb 18, 2026