CVE-2019-16915
on github
Published
Severity
CVSS v3:
9.8 CRITICAL
CVSS v2:
7.5 HIGH
Description
An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.
References
Configurations
| CPE23 | Version Start | Version End | Exact Version |
|---|---|---|---|
| cpe:2.3:a:netgate:pfsense:*:*:*:*:*:*:*:* | n/a | 2.4.4 | * |
| cpe:2.3:a:netgate:pfsense:2.4.4:p1:*:*:*:*:*:* | n/a | n/a | 2.4.4 |
| cpe:2.3:a:netgate:pfsense:2.4.4:p3:*:*:*:*:*:* | n/a | n/a | 2.4.4 |
| cpe:2.3:a:netgate:pfsense:2.4.4:p2:*:*:*:*:*:* | n/a | n/a | 2.4.4 |
| cpe:2.3:a:netgate:pfsense:2.4.4:-:*:*:*:*:*:* | n/a | n/a | 2.4.4 |