vulnerability
pfSense: pfSense-SA-17_02.webgui: Arbitrary Code Execution
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Feb 10, 2017 | Aug 25, 2017 | Feb 18, 2025 |
Description
A command-injection vulnerability exists in wizard.php via update_config_field()
due to its passing user input through eval(), especially in its handling of
interfaces_selection type fields. This allows an authenticated WebGUI user with
privileges for wizard.php to execute commands in the context of the root user.
A user on version 2.3.2_1 or earlier of the pfSense software, granted limited
access to the pfSense software WebGUI including access to wizard.php, could
leverage these vulnerabilities to gain increased privileges, read other files,
execute commands, or perform other alterations.
This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.
Solution
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.