Vulnerability Details : CVE-2020-19678
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
Vulnerability category: Directory traversal
Products affected by CVE-2020-19678
- cpe:2.3:a:pfsense:pfsense:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:pfsense:suricata_package:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oisf:suricata:1.4.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-19678
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-19678
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-19678
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-19678
-
https://github.com/pfsense/pfsense-packages/commit/59ed3438729fd56452f58a0f79f0c288db982ac3
Fix file browser vulnerability on LOGS BROWSER tab. · pfsense/pfsense-packages@59ed343 · GitHubPatch
-
https://pastebin.com/8dj59053
LFI vulnerability in Suricata 1.4.6 on Pfsense 2.1.3 - Pastebin.comExploit;Third Party Advisory
-
http://www.2ngon.com/2015/01/lfi-vulnerability-suricata-146-pkg-v101.html
2ngon.comBroken Link
Jump to