Search criteria
92 vulnerabilities found for IPFire by IPFire
CVE-2019-25398 (GCVE-0-2019-25398)
Vulnerability from nvd – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Cross-Site Scripting via ovpnmain.cgi
Summary
IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. Attackers can submit POST requests with script payloads in parameters like VPN_IP, DMTU, ccdname, ccdsubnet, DOVPN_SUBNET, DHCP_DOMAIN, DHCP_DNS, DHCP_WINS, ROUTES_PUSH, FRAGMENT, KEEPALIVE_1, and KEEPALIVE_2 to execute arbitrary JavaScript in administrator browsers.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. Attackers can submit POST requests with script payloads in parameters like VPN_IP, DMTU, ccdname, ccdsubnet, DOVPN_SUBNET, DHCP_DOMAIN, DHCP_DNS, DHCP_WINS, ROUTES_PUSH, FRAGMENT, KEEPALIVE_1, and KEEPALIVE_2 to execute arbitrary JavaScript in administrator browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:09.712Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Cross-Site Scripting via ovpnmain.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-cross-site-scripting-via-ovpnma"
}
],
"title": "IPFire 2.21 Core Update 127 Cross-Site Scripting via ovpnmain.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25398",
"datePublished": "2026-02-18T20:59:09.712Z",
"dateReserved": "2026-02-18T19:19:16.600Z",
"dateUpdated": "2026-02-18T20:59:09.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25400 (GCVE-0-2019-25400)
Vulnerability from nvd – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Multiple XSS via fwhosts.cgi
Summary
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated users' browsers.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated users\u0027 browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:11.293Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Multiple XSS via fwhosts.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-multiple-xss-via-fwhostscgi"
}
],
"title": "IPFire 2.21 Core Update 127 Multiple XSS via fwhosts.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25400",
"datePublished": "2026-02-18T20:59:11.293Z",
"dateReserved": "2026-02-18T19:21:21.542Z",
"dateUpdated": "2026-02-18T20:59:11.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25399 (GCVE-0-2019-25399)
Vulnerability from nvd – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi
Summary
IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:10.495Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-stored-xss-via-extrahdcgi"
}
],
"title": "IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25399",
"datePublished": "2026-02-18T20:59:10.495Z",
"dateReserved": "2026-02-18T19:20:36.501Z",
"dateUpdated": "2026-02-18T20:59:10.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25397 (GCVE-0-2019-25397)
Vulnerability from nvd – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi
Summary
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to execute arbitrary JavaScript in users' browsers.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to execute arbitrary JavaScript in users\u0027 browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:08.864Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-cross-site-scripting-via-hostsc"
}
],
"title": "IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25397",
"datePublished": "2026-02-18T20:59:08.864Z",
"dateReserved": "2026-02-18T19:16:33.428Z",
"dateUpdated": "2026-02-18T20:59:08.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25396 (GCVE-0-2019-25396)
Vulnerability from nvd – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Reflected XSS via updatexlrator.cgi
Summary
IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attackers can submit crafted requests with script payloads in the MAX_DISK_USAGE or MAX_DOWNLOAD_RATE parameters to execute arbitrary JavaScript in users' browsers.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attackers can submit crafted requests with script payloads in the MAX_DISK_USAGE or MAX_DOWNLOAD_RATE parameters to execute arbitrary JavaScript in users\u0027 browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:07.991Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Reflected XSS via updatexlrator.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-reflected-xss-via-updatexlrator"
}
],
"title": "IPFire 2.21 Core Update 127 Reflected XSS via updatexlrator.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25396",
"datePublished": "2026-02-18T20:59:07.991Z",
"dateReserved": "2026-02-18T19:14:31.673Z",
"dateUpdated": "2026-02-18T20:59:07.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34311 (GCVE-0-2025-34311)
Vulnerability from nvd – Published: 2025-10-28 14:43 – Updated: 2025-10-28 15:16
VLAI?
Title
IPFire < v2.29 Command Injection via Proxy Report Creation
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:15:44.775017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:16:34.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/calamaris.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:43:31.324Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13886"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Command Injection via Proxy Report Creation",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34311",
"datePublished": "2025-10-28T14:43:31.324Z",
"dateReserved": "2025-04-15T19:15:22.583Z",
"dateUpdated": "2025-10-28T15:16:34.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-25400 (GCVE-0-2019-25400)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Multiple XSS via fwhosts.cgi
Summary
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated users' browsers.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp_name, remark, SRV_NAME, SRV_PORT, SRVGRP_NAME, SRVGRP_REMARK, and updatesrvgrp. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated users\u0027 browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:11.293Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Multiple XSS via fwhosts.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-multiple-xss-via-fwhostscgi"
}
],
"title": "IPFire 2.21 Core Update 127 Multiple XSS via fwhosts.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25400",
"datePublished": "2026-02-18T20:59:11.293Z",
"dateReserved": "2026-02-18T19:21:21.542Z",
"dateUpdated": "2026-02-18T20:59:11.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25399 (GCVE-0-2019-25399)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi
Summary
IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:10.495Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-stored-xss-via-extrahdcgi"
}
],
"title": "IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25399",
"datePublished": "2026-02-18T20:59:10.495Z",
"dateReserved": "2026-02-18T19:20:36.501Z",
"dateUpdated": "2026-02-18T20:59:10.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25398 (GCVE-0-2019-25398)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Cross-Site Scripting via ovpnmain.cgi
Summary
IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. Attackers can submit POST requests with script payloads in parameters like VPN_IP, DMTU, ccdname, ccdsubnet, DOVPN_SUBNET, DHCP_DOMAIN, DHCP_DNS, DHCP_WINS, ROUTES_PUSH, FRAGMENT, KEEPALIVE_1, and KEEPALIVE_2 to execute arbitrary JavaScript in administrator browsers.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. Attackers can submit POST requests with script payloads in parameters like VPN_IP, DMTU, ccdname, ccdsubnet, DOVPN_SUBNET, DHCP_DOMAIN, DHCP_DNS, DHCP_WINS, ROUTES_PUSH, FRAGMENT, KEEPALIVE_1, and KEEPALIVE_2 to execute arbitrary JavaScript in administrator browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:09.712Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Cross-Site Scripting via ovpnmain.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-cross-site-scripting-via-ovpnma"
}
],
"title": "IPFire 2.21 Core Update 127 Cross-Site Scripting via ovpnmain.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25398",
"datePublished": "2026-02-18T20:59:09.712Z",
"dateReserved": "2026-02-18T19:19:16.600Z",
"dateUpdated": "2026-02-18T20:59:09.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25397 (GCVE-0-2019-25397)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi
Summary
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to execute arbitrary JavaScript in users' browsers.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to execute arbitrary JavaScript in users\u0027 browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:08.864Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-cross-site-scripting-via-hostsc"
}
],
"title": "IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25397",
"datePublished": "2026-02-18T20:59:08.864Z",
"dateReserved": "2026-02-18T19:16:33.428Z",
"dateUpdated": "2026-02-18T20:59:08.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25396 (GCVE-0-2019-25396)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:59 – Updated: 2026-02-18 20:59
VLAI?
Title
IPFire 2.21 Core Update 127 Reflected XSS via updatexlrator.cgi
Summary
IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attackers can submit crafted requests with script payloads in the MAX_DISK_USAGE or MAX_DOWNLOAD_RATE parameters to execute arbitrary JavaScript in users' browsers.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Ozer Goker
{
"containers": {
"cna": {
"affected": [
{
"product": "IPFire",
"vendor": "Ipfire",
"versions": [
{
"status": "affected",
"version": "IPFire 2.21 - Core Update 127"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ozer Goker"
}
],
"datePublic": "2019-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attackers can submit crafted requests with script payloads in the MAX_DISK_USAGE or MAX_DOWNLOAD_RATE parameters to execute arbitrary JavaScript in users\u0027 browsers."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:59:07.991Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46344",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46344"
},
{
"name": "IPFire Official Website",
"tags": [
"product"
],
"url": "https://www.ipfire.org"
},
{
"name": "IPFire 2.21 Core Update 127 Download",
"tags": [
"patch"
],
"url": "https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso"
},
{
"name": "VulnCheck Advisory: IPFire 2.21 Core Update 127 Reflected XSS via updatexlrator.cgi",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-core-update-reflected-xss-via-updatexlrator"
}
],
"title": "IPFire 2.21 Core Update 127 Reflected XSS via updatexlrator.cgi",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25396",
"datePublished": "2026-02-18T20:59:07.991Z",
"dateReserved": "2026-02-18T19:14:31.673Z",
"dateUpdated": "2026-02-18T20:59:07.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-34311 (GCVE-0-2025-34311)
Vulnerability from cvelistv5 – Published: 2025-10-28 14:43 – Updated: 2025-10-28 15:16
VLAI?
Title
IPFire < v2.29 Command Injection via Proxy Report Creation
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:15:44.775017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:16:34.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/calamaris.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:43:31.324Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13886"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Command Injection via Proxy Report Creation",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34311",
"datePublished": "2025-10-28T14:43:31.324Z",
"dateReserved": "2025-04-15T19:15:22.583Z",
"dateUpdated": "2025-10-28T15:16:34.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34312 (GCVE-0-2025-34312)
Vulnerability from cvelistv5 – Published: 2025-10-28 14:37 – Updated: 2025-10-28 15:17
VLAI?
Title
IPFire < v2.29 Command Injection via URL Filter Blacklist
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:16:52.840126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:17:00.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/urlfilter.cgi"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the \u0027nobody\u0027 user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the \u0027nobody\u0027 user.\u003cbr\u003e"
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the \u0027nobody\u0027 user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the \u0027nobody\u0027 user."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:43:48.395Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13887"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blacklist"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Command Injection via URL Filter Blacklist",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34312",
"datePublished": "2025-10-28T14:37:47.417Z",
"dateReserved": "2025-04-15T19:15:22.583Z",
"dateUpdated": "2025-10-28T15:17:00.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-34317
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:03
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13892 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dns-settings-dns-cgi | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "152B0C0E-533C-46A3-8688-A7A2282353E8",
"versionEndIncluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration."
},
{
"lang": "es",
"value": "Las versiones de IPFire anteriores a la 2.29 (Core Update 198) contienen una vulnerabilidad de cross-site scripting (XSS) almacenado que permite a un atacante autenticado inyectar c\u00f3digo JavaScript arbitrario a trav\u00e9s del par\u00e1metro TLS_HOSTNAME al a\u00f1adir una nueva entrada DNS. Cuando un usuario a\u00f1ade una entrada DNS, la aplicaci\u00f3n emite una solicitud HTTP POST a /cgi-bin/dns.cgi y el nombre de host TLS se proporciona en el par\u00e1metro TLS_HOSTNAME. El valor de este par\u00e1metro se almacena y posteriormente se renderiza en la interfaz web sin la sanitizaci\u00f3n o codificaci\u00f3n adecuadas, permitiendo que los scripts inyectados se ejecuten en el contexto de otros usuarios que visualizan la configuraci\u00f3n DNS afectada."
}
],
"id": "CVE-2025-34317",
"lastModified": "2025-11-03T17:03:01.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:12.037",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13892"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dns-settings-dns-cgi"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34316
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the txt_mailuser and txt_mailpass parameters when updating the mail server settings. When a user updates the mail server, the application issues an HTTP POST request to /cgi-bin/mail.cgi and the username and password are provided in the txt_mailuser and txt_mailpass parameters. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected mail configuration.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13891 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-mail-server-settings | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the txt_mailuser and txt_mailpass parameters when updating the mail server settings. When a user updates the mail server, the application issues an HTTP POST request to /cgi-bin/mail.cgi and the username and password are provided in the txt_mailuser and txt_mailpass parameters. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected mail configuration."
}
],
"id": "CVE-2025-34316",
"lastModified": "2025-11-03T17:02:53.210",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.930",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13891"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-mail-server-settings"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34315
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the REMOTELOG_ADDR parameter when updating the remote syslog server address. When a user updates the Remote logging Syslog server, the application issues an HTTP POST request to /cgi-bin/logs.cgi/config.dat and the server address is provided in the REMOTELOG_ADDR parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected configuration page.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13890 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-remote-syslog-server-address | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the REMOTELOG_ADDR parameter when updating the remote syslog server address. When a user updates the Remote logging Syslog server, the application issues an HTTP POST request to /cgi-bin/logs.cgi/config.dat and the server address is provided in the REMOTELOG_ADDR parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected configuration page."
}
],
"id": "CVE-2025-34315",
"lastModified": "2025-11-03T17:02:45.220",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.823",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13890"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-remote-syslog-server-address"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34310
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters when updating Quality of Service (QoS) settings. When a user updates speeds or classes, the application issues an HTTP POST request to /cgi-bin/qos.cgi and the values for incoming/outgoing speeds and default classes are provided in the INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected QoS entries.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13883 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-quality-of-service-settings | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters when updating Quality of Service (QoS) settings. When a user updates speeds or classes, the application issues an HTTP POST request to /cgi-bin/qos.cgi and the values for incoming/outgoing speeds and default classes are provided in the INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected QoS entries."
}
],
"id": "CVE-2025-34310",
"lastModified": "2025-11-03T17:02:04.513",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.293",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13883"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-quality-of-service-settings"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34308
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13883 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-time-sync | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page."
}
],
"id": "CVE-2025-34308",
"lastModified": "2025-11-03T17:01:51.640",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.080",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13883"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-time-sync"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34311
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13886 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user."
}
],
"id": "CVE-2025-34311",
"lastModified": "2025-11-03T17:02:11.273",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.400",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13886"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34314
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SRC, DST, and COMMENT parameters when creating a time constraint rule. When a user adds a time constraint rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to TIMECONSTRAINT and the source hostnames/IPs, destination, and remark provided in the SRC, DST, and COMMENT parameters respectively. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected time constraint entry.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13889 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-time-constraint-rule-url-filter | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SRC, DST, and COMMENT parameters when creating a time constraint rule. When a user adds a time constraint rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to TIMECONSTRAINT and the source hostnames/IPs, destination, and remark provided in the SRC, DST, and COMMENT parameters respectively. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected time constraint entry."
}
],
"id": "CVE-2025-34314",
"lastModified": "2025-11-03T17:02:38.580",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.720",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13889"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-time-constraint-rule-url-filter"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34313
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the QUOTA_USERS parameter when creating a user quota rule. When a user adds a new user quota rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to USERQUOTA and the assigned user(s) provided in the QUOTA_USERS parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected quota entry.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13888 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-user-quota-rule-url-filter | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the QUOTA_USERS parameter when creating a user quota rule. When a user adds a new user quota rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to USERQUOTA and the assigned user(s) provided in the QUOTA_USERS parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected quota entry."
}
],
"id": "CVE-2025-34313",
"lastModified": "2025-11-03T17:02:29.217",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.613",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13888"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-user-quota-rule-url-filter"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34312
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13887 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blacklist | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the \u0027nobody\u0027 user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the \u0027nobody\u0027 user."
}
],
"id": "CVE-2025-34312",
"lastModified": "2025-11-03T17:02:22.193",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.510",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13887"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blacklist"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34309
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SERVICE, LOGIN, and PASSWORD parameters when creating or editing a Dynamic DNS host. When a new Dynamic DNS host is added, the application issues an HTTP POST request to /cgi-bin/ddns.cgi and saves the values of the LOGIN, PASSWORD, and SERVICE parameters. The SERVICE value is displayed after the host entry is created, and the LOGIN and PASSWORD values are displayed when that host entry is edited. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view or edit the affected Dynamic DNS entries.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13884 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dynamic-dns-host | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SERVICE, LOGIN, and PASSWORD parameters when creating or editing a Dynamic DNS host. When a new Dynamic DNS host is added, the application issues an HTTP POST request to /cgi-bin/ddns.cgi and saves the values of the LOGIN, PASSWORD, and SERVICE parameters. The SERVICE value is displayed after the host entry is created, and the LOGIN and PASSWORD values are displayed when that host entry is edited. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view or edit the affected Dynamic DNS entries."
}
],
"id": "CVE-2025-34309",
"lastModified": "2025-11-03T17:01:58.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.190",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13884"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dynamic-dns-host"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34304
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13879 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-sqli-via-openvpn-connection-logs | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause\u00a0without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database."
}
],
"id": "CVE-2025-34304",
"lastModified": "2025-11-03T17:01:19.933",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.647",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13879"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-sqli-via-openvpn-connection-logs"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34307
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13882 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-country-search | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings."
}
],
"id": "CVE-2025-34307",
"lastModified": "2025-11-03T17:01:43.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.973",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13882"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-country-search"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34306
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13881 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-ip-search-value | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page."
}
],
"id": "CVE-2025-34306",
"lastModified": "2025-11-03T17:01:37.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.867",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13881"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-ip-search-value"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34305
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain multiple stored cross-site scripting (XSS) vulnerabilities caused by a bug in the cleanhtml() function (/var/ipfire/header.pl) that fails to apply HTML-entity encoding to user input. When an authenticated user submits data to affected endpoints - for example, POST /cgi-bin/wakeonlan.cgi (CLIENT_COMMENT), /cgi-bin/dhcp.cgi (ADVOPT_DATA, FIX_REMARK, FIX_FILENAME, FIX_ROOTPATH), /cgi-bin/connscheduler.cgi (ACTION_COMMENT), /cgi-bin/dnsforward.cgi (REMARK), /cgi-bin/vpnmain.cgi (REMARK), or /cgi-bin/dns.cgi (REMARK) - the application calls escape() and HTML::Entities::encode_entities() but never assigns the sanitized result back to the output variable. The original unsanitized value is therefore stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected entries.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13880 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-multiple-methods-in-cleanhtml | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain multiple stored cross-site scripting (XSS) vulnerabilities caused by a bug in the cleanhtml() function (/var/ipfire/header.pl) that fails to apply HTML-entity encoding to user input. When an authenticated user submits data to affected endpoints - for example, POST /cgi-bin/wakeonlan.cgi (CLIENT_COMMENT), /cgi-bin/dhcp.cgi (ADVOPT_DATA, FIX_REMARK, FIX_FILENAME, FIX_ROOTPATH), /cgi-bin/connscheduler.cgi (ACTION_COMMENT), /cgi-bin/dnsforward.cgi (REMARK), /cgi-bin/vpnmain.cgi (REMARK), or /cgi-bin/dns.cgi (REMARK) - the application calls escape() and HTML::Entities::encode_entities() but never assigns the sanitized result back to the output variable. The original unsanitized value is therefore stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected entries."
}
],
"id": "CVE-2025-34305",
"lastModified": "2025-11-03T17:01:29.890",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.760",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13880"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-multiple-methods-in-cleanhtml"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34303
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the IGNORE_ENTRY_REMARK parameter when adding a whitelisted host. When a whitelisted host is added, an HTTP POST request is sent to the Request-URI /cgi-bin/ids.cgi and the remark for the entry is provided in the IGNORE_ENTRY_REMARK parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing injected scripts to execute in the context of other users who view the affected whitelist entry.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13878 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-whitelisted-host-creation | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the IGNORE_ENTRY_REMARK parameter when adding a whitelisted host. When a whitelisted host is added, an HTTP POST request is sent to the Request-URI /cgi-bin/ids.cgi and the remark for the entry is provided in the IGNORE_ENTRY_REMARK parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing injected scripts to execute in the context of other users who view the affected whitelist entry."
}
],
"id": "CVE-2025-34303",
"lastModified": "2025-11-03T17:01:07.687",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.540",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13878"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-whitelisted-host-creation"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34302
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the PROT parameter when creating a new service. When a user adds a service, the application issues an HTTP POST request with the ACTION parameter set to saveservice, and the protocol type is specified in the PROT parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing injected scripts to execute in the context of other users viewing the affected service entry.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13877 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-service-creation | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the PROT parameter when creating a new service. When a user adds a service, the application issues an HTTP POST request with the ACTION parameter set to saveservice, and the protocol type is specified in the PROT parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing injected scripts to execute in the context of other users viewing the affected service entry."
}
],
"id": "CVE-2025-34302",
"lastModified": "2025-11-03T17:01:01.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.433",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13877"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-service-creation"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34301
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:00
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code into the COUNTRY_CODE parameter when creating a location group. When a user adds a new location group, the application issues an HTTP POST request with the ACTION parameter set to savelocationgrp, and the value of the COUNTRY_CODE parameter determines the flag displayed for that group. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing malicious scripts to be executed in the context of other users viewing the affected page.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13876 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-location-group-creation | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code into the COUNTRY_CODE parameter when creating a location group. When a user adds a new location group, the application issues an HTTP POST request with the ACTION parameter set to savelocationgrp, and the value of the COUNTRY_CODE parameter determines the flag displayed for that group. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing malicious scripts to be executed in the context of other users viewing the affected page."
}
],
"id": "CVE-2025-34301",
"lastModified": "2025-11-03T17:00:46.467",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.310",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13876"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-location-group-creation"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}