CVE-2021-41282

HIGH Year: 2021
CVSS v3 Score
8.8
High
CVSS v2 Score
9.0
Critical
Weakness Type
CWE-74
View all →

Vulnerability Description

diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.

Related Vulnerabilities

CVE-2013-3628

HIGH
CVSS:8.8(High)

Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability

CWE-742013

CVE-2014-5083

HIGH
CVSS:8.8(High)

A Command Execution vulnerability exists in Sphider before 1.3.6 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5083 p...

CWE-742014

CVE-2014-5084

HIGH
CVSS:8.8(High)

A Command Execution vulnerability exists in Sphider Pro 3.2 due to insufficient sanitization of fwrite, which could let a remote malicious user execute arbitrary code. CVE-2014-5084 pertains to instan...

CWE-742014

CVE-2014-5085

HIGH
CVSS:8.8(High)

A Command Execution vulnerability exists in Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5085 perta...

CWE-742014

CVE-2014-5086

HIGH
CVSS:8.8(High)

A Command Execution vulnerability exists in Sphider Pro, and Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CV...

CWE-742014