CVE-2021-20729

MEDIUM

Published Mar 31, 20224y ago · Modified Jun 17, 20261w ago

6.1 CVSS 3.1

Medium

Published Mar 31, 2022 4y ago

Last Modified Jun 17, 2026 1w ago

Description

Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.

CVSS Details

Base Score

6.1

Exploitability

2.8

Impact

2.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

Vendor	Product	Version	Range
netgate	pfsense_plus	*	≤21.05
pfsense	pfsense	*	≤2.5.2

References 2

docs.netgate.com https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc

Third Party Advisory
jvn.jp https://jvn.jp/en/jp/JVN87751554/index.html

Third Party AdvisoryVDB Entry

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.