{"id":"CVE-2021-20729","details":"Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.","modified":"2026-04-11T12:35:23.189056Z","published":"2022-03-31T08:15:08.130Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"21.05"}],"cpe":"cpe:2.3:a:netgate:pfsense_plus:*:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc"},{"type":"ADVISORY","url":"https://jvn.jp/en/jp/JVN87751554/index.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pfsense/pfsense","events":[{"introduced":"0"},{"last_affected":"81891ef87be63352e1c32d28ca9fc08bbf641989"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"2.5.2"}],"cpe":"cpe:2.3:a:pfsense:pfsense:*:*:*:*:community:*:*:*"}}],"versions":["RELENG_2_2_BETA","Root_RELENG_1_2","v2.5.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-20729.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}