Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-Site Request Forgery (CSRF) in opnsense/core
Vulnerability Description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Deciso OPNsense 跨站请求伪造漏洞
Vulnerability Description
Deciso OPNsense是荷兰Deciso公司的一套基于FreeBSD的开源防火墙和路由软件。 Deciso OPNsense 26.1.4之前版本存在跨站请求伪造漏洞,该漏洞源于多个OPNsense MVC API端点可通过HTTP GET请求执行状态更改操作且无CSRF保护,框架CSRF验证仅适用于POST/PUT/DELETE方法,可能导致经过身份验证的跨站请求伪造,从而造成未经授权的系统状态更改。
CVSS Information
N/A
Vulnerability Type
N/A