Details of VAR-201508-0131

ID

VAR-201508-0131

CVE

CVE-2015-6509

TITLE

pfSense Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-004305

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) proxypass parameter to system_advanced_misc.php; (2) adaptiveend, (3) adaptivestart, (4) maximumstates, (5) maximumtableentries, or (6) aliasesresolveinterval parameter to system_advanced_firewall.php; (7) proxyurl, (8) proxyuser, or (9) proxyport parameter to system_advanced_misc.php; or (10) name, (11) notification_name, (12) ipaddress, (13) password, (14) smtpipaddress, (15) smtpport, (16) smtpfromaddress, (17) smtpnotifyemailaddress, (18) smtpusername, or (19) smtppassword parameter to system_advanced_notifications.php. (1) system_advanced_misc.php of proxypass Parameters (2) system_advanced_firewall.php of adaptiveend Parameters (3) system_advanced_firewall.php of adaptivestart Parameters (4) system_advanced_firewall.php of maximumstates Parameters (5) system_advanced_firewall.php of maximumtableentries Parameters (6) system_advanced_firewall.php of aliasesresolveinterval Parameters (7) system_advanced_misc.php of proxyurl Parameters (8) system_advanced_misc.php of proxyuser Parameters (9) system_advanced_misc.php of proxyport Parameters (10) system_advanced_notifications.php of name Parameters (11) system_advanced_notifications.php of notification_name Parameters (12) system_advanced_notifications.php of ipaddress Parameters (13) system_advanced_notifications.php of password Parameters (14) system_advanced_notifications.php of smtpipaddress Parameters (15) system_advanced_notifications.php of smtpport Parameters (16) system_advanced_notifications.php of smtpfromaddress Parameters (17) system_advanced_notifications.php of smtpnotifyemailaddress Parameters (18) system_advanced_notifications.php of smtpusername Parameters (19) system_advanced_notifications.php of smtppassword Parameters. Electric Sheep Fencing pfsense is a free and open source FreeBSD-based firewall and router software from Electric Sheep Fencing

Trust: 2.16

sources: NVD: CVE-2015-6509 // JVNDB: JVNDB-2015-004305 // CNVD: CNVD-2015-05672

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-05672

AFFECTED PRODUCTS

vendor:	netgate	model:	pfsense	scope:	lte	version:	2.2.2	Trust: 1.0
vendor:	electric sheep fencing	model:	pfsense	scope:	lt	version:	2.2.3	Trust: 0.8
vendor:	electric	model:	sheep fencing llc. pfsense	scope:	lt	version:	2.2.3	Trust: 0.6
vendor:	pfsense	model:	pfsense	scope:	eq	version:	2.2.2	Trust: 0.6

sources: CNVD: CNVD-2015-05672 // JVNDB: JVNDB-2015-004305 // CNNVD: CNNVD-201508-410 // NVD: CVE-2015-6509

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6509
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-6509
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-05672
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201508-410
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2015-6509
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-05672
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2015-05672 // JVNDB: JVNDB-2015-004305 // CNNVD: CNNVD-201508-410 // NVD: CVE-2015-6509

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2015-004305 // NVD: CVE-2015-6509

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201508-410

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201508-410

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004305

PATCH

title:	pfSense-SA-15_06.webgui	url:	https://www.pfsense.org/security/advisories/pfSense-SA-15_06.webgui.asc	Trust: 0.8
title:	Patch for Electric Sheep Fencing pfsense Cross-Site Scripting Vulnerability (CNVD-2015-05672)	url:	https://www.cnvd.org.cn/patchInfo/show/63146	Trust: 0.6
title:	Electric Sheep Fencing pfsense Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93072	Trust: 0.6

sources: CNVD: CNVD-2015-05672 // JVNDB: JVNDB-2015-004305 // CNNVD: CNNVD-201508-410

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6509	Trust: 3.0
db:	JVNDB	id:	JVNDB-2015-004305	Trust: 0.8
db:	CNVD	id:	CNVD-2015-05672	Trust: 0.6
db:	CNNVD	id:	CNNVD-201508-410	Trust: 0.6

sources: CNVD: CNVD-2015-05672 // JVNDB: JVNDB-2015-004305 // CNNVD: CNNVD-201508-410 // NVD: CVE-2015-6509

REFERENCES

url:	https://www.pfsense.org/security/advisories/pfsense-sa-15_06.webgui.asc	Trust: 2.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6509	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6509	Trust: 0.8

sources: CNVD: CNVD-2015-05672 // JVNDB: JVNDB-2015-004305 // CNNVD: CNNVD-201508-410 // NVD: CVE-2015-6509

SOURCES

db:	CNVD	id:	CNVD-2015-05672
db:	JVNDB	id:	JVNDB-2015-004305
db:	CNNVD	id:	CNNVD-201508-410
db:	NVD	id:	CVE-2015-6509

LAST UPDATE DATE

2024-11-23T22:22:54.078000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-05672	date:	2015-08-27T00:00:00
db:	JVNDB	id:	JVNDB-2015-004305	date:	2015-08-24T00:00:00
db:	CNNVD	id:	CNNVD-201508-410	date:	2019-05-31T00:00:00
db:	NVD	id:	CVE-2015-6509	date:	2024-11-21T02:35:06.967

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2015-05672	date:	2015-08-27T00:00:00
db:	JVNDB	id:	JVNDB-2015-004305	date:	2015-08-24T00:00:00
db:	CNNVD	id:	CNNVD-201508-410	date:	2015-08-19T00:00:00
db:	NVD	id:	CVE-2015-6509	date:	2015-08-18T15:59:08.847