CVE Catalog

CVE-2024-57273

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.18%

64th percentile - higher than 64% of all known CVEs

Summary

An XSS vulnerability in the Automatic Configuration Backup (ACB) service of Netgate pfSense CE (prior to 2.8.0 beta) and corresponding Plus builds allows remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized 'reason' field and a derivable device key generated from the public SSH key.

Risk Assessment

The risk includes potential session hijacking, credential theft, deletion of critical configuration backups, and leakage of confidential information, which could compromise system integrity and confidentiality.

Recommendation

Immediately upgrade pfSense to version 2.8.0 beta or later, which includes a fix for the XSS vulnerability in the ACB service.

Original NVD description (English source)

Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized "reason" field and a derivable device key generated from the public SSH key.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS