CVE-2018-4019

CVE Database · CVE-2018-4019

CVE-2018-4019

· HIGHModified

CVSS v3.1

7.2

EPSS

48.72%

Published

Dec 3, 2018

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_normal_mode` parameter.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78

Affected Products (1)

netgate · pfsensevulnerable

References (2)

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0690

ExploitThird Party Advisory

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0690

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs