Pfsense
CVE-2014-4692
MEDIUM
Severity by source
AV:N/AC:M/Au:N/C:P/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
AV:N/AC:M/Au:N/C:P/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
pfSense before 2.1.4, when HTTP is used, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
AnalysisAI
pfSense before 2.1.4, when HTTP is used, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. pfSense before 2.1.4, when HTTP is used, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. Affected products include: Netgate Pfsense. Version information: before 2.1.4.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attac
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22
diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executi
pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_ph
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the paramete
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the paramete
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the paramete
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. Rated
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field. Rated medium severity (CVSS 6.1), this vulnera
In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today