CPE Details
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
CPE Name: cpe:2.3:a:opnsense:opnsense:15.1:*:*:*:*:*:*:*
Informations
Vendor
opnsenseProduct
opnsenseVersion
15.1Related CVE
| CVE ID | Published | Description | Score | Severity |
|---|---|---|---|---|
| OPNsense before 23.7.5 allows XSS via the index.php column_count parameter to the Lobby Dashboard. | 5.4 |
Medium |
||
| OPNsense before 23.7.5 allows XSS via the index.php sequence parameter to the Lobby Dashboard. | 5.4 |
Medium |
||
| A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive. | 7.2 |
High |
||
| An open redirect in the Login page of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL. | 6.1 |
Medium |
||
| A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/halt) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | 6.5 |
Medium |
||
| A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path. | 6.1 |
Medium |
||
| A command injection vulnerability in the component diag_backup.php of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary commands via a crafted backup configuration file. | 9.8 |
Critical |
||
| A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 6.1 |
Medium |
||
| OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp. | 7.5 |
High |
||
| Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation. | 9.8 |
Critical |
||
| Insecure permissions exist for configd.socket in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2. | 7.5 |
High |
||
| The Crash Reporter (crash_reporter.php) component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 mishandles input sanitization. | 5.4 |
Medium |
||
| /ui/cron/item/open in the Cron component of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows XSS via openAction in app/controllers/OPNsense/Cron/ItemController.php. | 9.6 |
Critical |
||
| A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands. | 9.8 |
Critical |
||
| A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester. | 6.1 |
Medium |
||
| An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website. | 6.1 |
Medium |
||
| Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request. | 7.2 |
High |
2025©
tesweb SA
