Pfsense
CVE-2023-29973
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall.
AnalysisAI
Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. Pfsense CE version 2.6.0 is vulnerable to No rate limit which can lead to an attacker creating multiple malicious users in firewall. Affected products include: Pfsense. Version information: version 2.6.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Set resource limits, implement rate limiting, validate input sizes.
Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attac
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22
diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or txtRecallBuffer field, as demonstrated by executi
pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_ph
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the paramete
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the paramete
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the paramete
pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. Rated
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field. Rated medium severity (CVSS 6.1), this vulnera
In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today