CVE-2023-39007
CRITICAL NUCLEIOPNsense < 23.7 - Cross-Site Scripting via Cron Item Controller openAction Parameter
Title source: llmExploitation Summary
CVE-2023-39007 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
/ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php.
Nuclei Templates (1)
OPNsense - Cross-Site Scripting to RCE
CRITICALby ritikchaddha
Shodan:
title:"OPNsense" || http.title:"opnsense"
FOFA:
title="opnsense"
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://logicaltrust.net/blog/2023/08/opnsense.html
Various Sources
https://github.com/opnsense/core/compare/23.1.11...23.7
Scores
CVSS v3
9.6
EPSS
0.0232
EPSS Percentile
81.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (1)
opnsense/opnsense
< 23.7
Published
Aug 09, 2023
Tracked Since
Feb 18, 2026