CVE-2020-21487

CRITICAL EPSS 47.2%

Published Apr 4, 20233y ago · Modified Jun 17, 20261w ago

9.6 CVSS 3.1

Critical

Published Apr 4, 2023 3y ago

Last Modified Jun 17, 2026 1w ago

Description

Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php.

CVSS Details

Base Score

9.6

Exploitability

2.8

Impact

6.0

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Changed

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

47.2% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

Vendor	Product	Version	Range
netgate	pfsense	2.4.4	any
netgate	pfsense_acme_package	0.6.3	any

References 2

github.com https://github.com/pfsense/FreeBSD-ports/commit/a6f443cde51e7fcf17e51f16014d3589253284d8

Patch
redmine.pfsense.org https://redmine.pfsense.org/issues/9888

Issue TrackingPatch

Remediation

github.com https://github.com/pfsense/FreeBSD-ports/commit/a6f443cde51e7fcf17e51f16014d3589253284d8

Patch
redmine.pfsense.org https://redmine.pfsense.org/issues/9888

Issue TrackingPatch