XSS in Netgate Pfsense

CVE-2015-2294

Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable paramet…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.242 (97.6th percentile) — read the EPSS interpretation.

Affected products

Netgate Pfsense
N/a — versions n/a

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

20150325 Arbitrary file deletion and multiple XSS vulnerabilities in pfSense (mailing-list, x_refsource_BUGTRAQ)
cve@mitre.org (Exploit, x_refsource_MISC)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
73344 (vdb-entry, x_refsource_BID)
cve@mitre.org (Exploit, x_refsource_MISC)
36506 (exploit, x_refsource_EXPLOIT-DB)