Researchers at High-Tech Bridge have uncovered multiple flaws in the web interface of pfSense, which can be exploited to perform cross-site scripting and cross-site request forgery attacks.
“Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root privileges, steal administrator’s cookies and gain complete control over the web application and even the entire system, as pfSense is running with root privileges and allows OS command execution via its web interface,” according to the High-Tech Bridge advisory.
The issues have been patched, and users are advised to update to the latest version.
FULL STORY