← volver
CVE-2021-41282

CVE-2021-41282

EPSS 87.1%
Vexday Risk Score
40Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
Madurez del exploit
Exploit funcional
Exploit automatizable disponible (Nuclei/Metasploit).
CVSS EPSS 87.1%KEV nãoPoC Nuclei simMetasploit simPatch
Ciclo de vida
23 feb 2022Exploit Metasploit disponible
01 mar 2022Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
Productos afectados
n/a · n/a