Vulnerability Name:

CVE-2019-12584 (CCN-162018)

Assigned:2019-05-28
Published:2019-05-28
Updated:2019-06-04
Summary:Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2019-12584

Source: MISC
Type: UNKNOWN
https://ctrsec.io/index.php/2019/05/28/cve-2019-12584-12585-command-injection-vulnerability-on-pfsense-2-4-4-release-p3/

Source: XF
Type: UNKNOWN
pfsense-cve201912584-xss(162018)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/pfsense/FreeBSD-ports/commit/b492c0ea47aba8dde2f14183e71498ba207594e3

Source: CCN
Type: pfSence Bug #9556
Encoding/validation issues in apcupsd_status.php

Source: MISC
Type: Third Party Advisory
https://redmine.pfsense.org/issues/9556

Source: CCN
Type: pfSense Web site
Apcupsd package

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apcupsd:apcupsd:0.3.91_5:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:netgate:pfsense:*:*:*:*:*:*:*:* (Version < 2.4.4)
  • OR cpe:/a:netgate:pfsense:2.4.4:-:*:*:*:*:*:*
  • OR cpe:/a:netgate:pfsense:2.4.4:p1:*:*:*:*:*:*
  • OR cpe:/a:netgate:pfsense:2.4.4:p2:*:*:*:*:*:*
  • OR cpe:/a:netgate:pfsense:2.4.4:p3:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apcupsd apcupsd 0.3.91_5
    netgate pfsense *
    netgate pfsense 2.4.4 -
    netgate pfsense 2.4.4 p1
    netgate pfsense 2.4.4 p2
    netgate pfsense 2.4.4 p3