Vulnerability Details CVE-2019-8953
The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.768
EPSS Ranking 98.9%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- https://cxsecurity.com/issue/WLB-2019020153
- https://github.com/pfsense/FreeBSD-ports/commit/2dded47b3202dfdf89aa96f84bf701b3d5acbe6c
- https://github.com/pfsense/FreeBSD-ports/commit/3b40366aca55910b224ecf49d3fdacc9ad6c04f5
- https://redmine.pfsense.org/issues/9335
- https://www.exploit-db.com/exploits/46538/
- https://cxsecurity.com/issue/WLB-2019020153
- https://github.com/pfsense/FreeBSD-ports/commit/2dded47b3202dfdf89aa96f84bf701b3d5acbe6c
- https://github.com/pfsense/FreeBSD-ports/commit/3b40366aca55910b224ecf49d3fdacc9ad6c04f5
- https://redmine.pfsense.org/issues/9335
- https://www.exploit-db.com/exploits/46538/
Products affected by CVE-2019-8953
-
cpe:2.3:a:netgate:haproxy:0.01
-
cpe:2.3:a:netgate:haproxy:0.15
-
cpe:2.3:a:netgate:haproxy:0.16
-
cpe:2.3:a:netgate:haproxy:0.18
-
cpe:2.3:a:netgate:haproxy:0.19
-
cpe:2.3:a:netgate:haproxy:0.21
-
cpe:2.3:a:netgate:haproxy:0.22
-
cpe:2.3:a:netgate:haproxy:0.23
-
cpe:2.3:a:netgate:haproxy:0.24
-
cpe:2.3:a:netgate:haproxy:0.25
-
cpe:2.3:a:netgate:haproxy:0.26
-
cpe:2.3:a:netgate:haproxy:0.27
-
cpe:2.3:a:netgate:haproxy:0.28
-
cpe:2.3:a:netgate:haproxy:0.29
-
cpe:2.3:a:netgate:haproxy:0.59.2
-
cpe:2.3:a:netgate:haproxy:0.59_5
-
cpe:2.3:a:netgate:haproxy:0.59_7
-
cpe:2.3:a:netgate:haproxy:0.59_9