Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross Site Scripting (XSS) in widgets/log.widget.php.
References
Link | Resource |
---|---|
https://blog.brillantit.com/exploiting-pfsense-xss-command-injection-cloud-hijack/ | Exploit Third Party Advisory |
https://docs.netgate.com/downloads/pfSense-SA-25_01.webgui.asc | Vendor Advisory Mailing List |
https://www.netgate.com/blog/important-security-updates-for-pfsense-plus-24.11-and-ce-2.7.2 | Release Notes |
Configurations
Configuration 1 (hide)
|
History
23 Jun 2025, 14:51
Type | Values Removed | Values Added |
---|---|---|
First Time |
Netgate pfsense Ce
Netgate Netgate pfsense Plus |
|
References | () https://blog.brillantit.com/exploiting-pfsense-xss-command-injection-cloud-hijack/ - Exploit, Third Party Advisory | |
References | () https://docs.netgate.com/downloads/pfSense-SA-25_01.webgui.asc - Vendor Advisory, Mailing List | |
References | () https://www.netgate.com/blog/important-security-updates-for-pfsense-plus-24.11-and-ce-2.7.2 - Release Notes | |
CPE | cpe:2.3:a:netgate:pfsense_plus:*:*:*:*:*:*:*:* cpe:2.3:a:netgate:pfsense_ce:*:*:*:*:*:*:*:* |
19 May 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 May 2025, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
16 May 2025, 14:43
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
14 May 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CWE | CWE-79 |
14 May 2025, 14:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-05-14 14:15
Updated : 2025-06-23 14:51
NVD link : CVE-2024-54779
Mitre link : CVE-2024-54779
CVE.ORG link : CVE-2024-54779
JSON object : View
Products Affected
netgate
- pfsense_ce
- pfsense_plus
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')