Cyber Resilience

CVE-2023-39002

MediumPublic PoC

Published: 09 August 2023

Published
09 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.2358 96.1th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-39002 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Opnsense Opnsense. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2023-39002 is a cross-site scripting flaw in the act parameter of system_certmanager.php, affecting OPNsense Community Edition versions before 23.7 and Business Edition versions before 23.4.2. Classified as CWE-79 with a CVSS 3.1 score of 6.1, the issue stems from insufficient sanitization that allows arbitrary web scripts or HTML to be injected and rendered via a crafted payload.

Attackers without authentication can exploit the flaw by delivering a malicious payload that executes in a victim's browser when the parameter is processed. Because the attack vector requires user interaction and results in changed scope, successful exploitation can achieve limited impacts on confidentiality and integrity, such as script execution that alters page content or accesses session data within the OPNsense web interface.

The referenced OPNsense core commit a4f6a8f8d604271f81984cfcbba0471af58e34dc implements the fix for the input handling defect, and administrators are advised to upgrade to the patched releases. The Logical Trust analysis at the provided URL details the discovery and confirms that the vulnerability is resolved by applying these updates. The associated EPSS score has remained flat at its peak value of 0.2358 with no material increase observed.

EU & UK References

Vulnerability details

A cross-site scripting (XSS) vulnerability in the act parameter of system_certmanager.php in OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

opnsense
opnsense
≤ 23.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References