Vulnerability Details CVE-2024-57273
Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized "reason" field and a derivable device key generated from the public SSH key.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.9%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2024-57273
-
cpe:2.3:a:netgate:pfsense_ce:*
-
cpe:2.3:a:netgate:pfsense_plus:-
-
cpe:2.3:a:netgate:pfsense_plus:21.02
-
cpe:2.3:a:netgate:pfsense_plus:21.02.2
-
cpe:2.3:a:netgate:pfsense_plus:21.05
-
cpe:2.3:a:netgate:pfsense_plus:21.05.1
-
cpe:2.3:a:netgate:pfsense_plus:21.05.2
-
cpe:2.3:a:netgate:pfsense_plus:22.01
-
cpe:2.3:a:netgate:pfsense_plus:22.05
-
cpe:2.3:a:netgate:pfsense_plus:22.05.1
-
cpe:2.3:a:netgate:pfsense_plus:23.01
-
cpe:2.3:a:netgate:pfsense_plus:23.05
-
cpe:2.3:a:netgate:pfsense_plus:23.05.1
-
cpe:2.3:a:netgate:pfsense_plus:23.09