CVE-2019-12347

MEDIUM

pfSense 2.4.4-p3 - Stored Cross-Site Scripting via ACME Account Name or Description Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12347. PoCs published by Chi Tran.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in pfSense's ACME package. The attacker injects malicious JavaScript payloads into the 'Name' and 'Description' fields, which execute when the page is loaded.

Description

In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers inject a payload into the Name or Description field via an acme_accountkeys_edit.php action. The vulnerability occurs due to input validation errors.

Exploits (1)

exploitdb WORKING POC
by Chi Tran · textwebappsphp
https://www.exploit-db.com/exploits/46936

This exploit demonstrates a stored XSS vulnerability in pfSense's ACME package. The attacker injects malicious JavaScript payloads into the 'Name' and 'Description' fields, which execute when the page is loaded.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: pfSense 2.4.4-p3 with ACME Package 0.5.7_1
Auth required
Prerequisites: Access to the pfSense web interface · Valid credentials to edit ACME account keys
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Vendor Advisory x_refsource_misc
https://redmine.pfsense.org/issues/9554#change-40729
Vendor Advisory x_refsource_misc
https://www.pfsense.org/download/
Exploit, Patch, Third Party Advisory x_refsource_misc
https://ctrsec.io/index.php/2019/05/28/stored-xss-acme-pfsense-2-4-4-p3/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/153112/pfSense-2.4.4-p3-Cross-Site-Scripting.html

Scores

CVSS v3 6.1
EPSS 0.7318
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
netgate/pfsense 2.4.4 p3
Published May 29, 2019
Tracked Since Feb 18, 2026