Search criteria
82 vulnerabilities found for IPFire by IPFire
FKIE_CVE-2025-34317
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:03
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13892 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dns-settings-dns-cgi | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "152B0C0E-533C-46A3-8688-A7A2282353E8",
"versionEndIncluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration."
}
],
"id": "CVE-2025-34317",
"lastModified": "2025-11-03T17:03:01.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:12.037",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13892"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dns-settings-dns-cgi"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34309
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SERVICE, LOGIN, and PASSWORD parameters when creating or editing a Dynamic DNS host. When a new Dynamic DNS host is added, the application issues an HTTP POST request to /cgi-bin/ddns.cgi and saves the values of the LOGIN, PASSWORD, and SERVICE parameters. The SERVICE value is displayed after the host entry is created, and the LOGIN and PASSWORD values are displayed when that host entry is edited. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view or edit the affected Dynamic DNS entries.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13884 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dynamic-dns-host | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SERVICE, LOGIN, and PASSWORD parameters when creating or editing a Dynamic DNS host. When a new Dynamic DNS host is added, the application issues an HTTP POST request to /cgi-bin/ddns.cgi and saves the values of the LOGIN, PASSWORD, and SERVICE parameters. The SERVICE value is displayed after the host entry is created, and the LOGIN and PASSWORD values are displayed when that host entry is edited. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view or edit the affected Dynamic DNS entries."
}
],
"id": "CVE-2025-34309",
"lastModified": "2025-11-03T17:01:58.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.190",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13884"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dynamic-dns-host"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34313
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the QUOTA_USERS parameter when creating a user quota rule. When a user adds a new user quota rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to USERQUOTA and the assigned user(s) provided in the QUOTA_USERS parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected quota entry.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13888 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-user-quota-rule-url-filter | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the QUOTA_USERS parameter when creating a user quota rule. When a user adds a new user quota rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to USERQUOTA and the assigned user(s) provided in the QUOTA_USERS parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected quota entry."
}
],
"id": "CVE-2025-34313",
"lastModified": "2025-11-03T17:02:29.217",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.613",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13888"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-user-quota-rule-url-filter"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34316
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the txt_mailuser and txt_mailpass parameters when updating the mail server settings. When a user updates the mail server, the application issues an HTTP POST request to /cgi-bin/mail.cgi and the username and password are provided in the txt_mailuser and txt_mailpass parameters. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected mail configuration.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13891 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-mail-server-settings | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the txt_mailuser and txt_mailpass parameters when updating the mail server settings. When a user updates the mail server, the application issues an HTTP POST request to /cgi-bin/mail.cgi and the username and password are provided in the txt_mailuser and txt_mailpass parameters. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected mail configuration."
}
],
"id": "CVE-2025-34316",
"lastModified": "2025-11-03T17:02:53.210",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.930",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13891"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-mail-server-settings"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34308
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13883 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-time-sync | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page."
}
],
"id": "CVE-2025-34308",
"lastModified": "2025-11-03T17:01:51.640",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.080",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13883"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-time-sync"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34314
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SRC, DST, and COMMENT parameters when creating a time constraint rule. When a user adds a time constraint rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to TIMECONSTRAINT and the source hostnames/IPs, destination, and remark provided in the SRC, DST, and COMMENT parameters respectively. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected time constraint entry.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13889 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-time-constraint-rule-url-filter | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SRC, DST, and COMMENT parameters when creating a time constraint rule. When a user adds a time constraint rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to TIMECONSTRAINT and the source hostnames/IPs, destination, and remark provided in the SRC, DST, and COMMENT parameters respectively. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected time constraint entry."
}
],
"id": "CVE-2025-34314",
"lastModified": "2025-11-03T17:02:38.580",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.720",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13889"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-time-constraint-rule-url-filter"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34311
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13886 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user."
}
],
"id": "CVE-2025-34311",
"lastModified": "2025-11-03T17:02:11.273",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.400",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13886"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34312
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13887 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blacklist | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the \u0027nobody\u0027 user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the \u0027nobody\u0027 user."
}
],
"id": "CVE-2025-34312",
"lastModified": "2025-11-03T17:02:22.193",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.510",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13887"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blacklist"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34310
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters when updating Quality of Service (QoS) settings. When a user updates speeds or classes, the application issues an HTTP POST request to /cgi-bin/qos.cgi and the values for incoming/outgoing speeds and default classes are provided in the INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected QoS entries.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13883 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-quality-of-service-settings | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters when updating Quality of Service (QoS) settings. When a user updates speeds or classes, the application issues an HTTP POST request to /cgi-bin/qos.cgi and the values for incoming/outgoing speeds and default classes are provided in the INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected QoS entries."
}
],
"id": "CVE-2025-34310",
"lastModified": "2025-11-03T17:02:04.513",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.293",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13883"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-quality-of-service-settings"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34315
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:02
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the REMOTELOG_ADDR parameter when updating the remote syslog server address. When a user updates the Remote logging Syslog server, the application issues an HTTP POST request to /cgi-bin/logs.cgi/config.dat and the server address is provided in the REMOTELOG_ADDR parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected configuration page.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13890 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-remote-syslog-server-address | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the REMOTELOG_ADDR parameter when updating the remote syslog server address. When a user updates the Remote logging Syslog server, the application issues an HTTP POST request to /cgi-bin/logs.cgi/config.dat and the server address is provided in the REMOTELOG_ADDR parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected configuration page."
}
],
"id": "CVE-2025-34315",
"lastModified": "2025-11-03T17:02:45.220",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:11.823",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13890"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-remote-syslog-server-address"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34306
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13881 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-ip-search-value | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page."
}
],
"id": "CVE-2025-34306",
"lastModified": "2025-11-03T17:01:37.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.867",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13881"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-ip-search-value"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34305
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain multiple stored cross-site scripting (XSS) vulnerabilities caused by a bug in the cleanhtml() function (/var/ipfire/header.pl) that fails to apply HTML-entity encoding to user input. When an authenticated user submits data to affected endpoints - for example, POST /cgi-bin/wakeonlan.cgi (CLIENT_COMMENT), /cgi-bin/dhcp.cgi (ADVOPT_DATA, FIX_REMARK, FIX_FILENAME, FIX_ROOTPATH), /cgi-bin/connscheduler.cgi (ACTION_COMMENT), /cgi-bin/dnsforward.cgi (REMARK), /cgi-bin/vpnmain.cgi (REMARK), or /cgi-bin/dns.cgi (REMARK) - the application calls escape() and HTML::Entities::encode_entities() but never assigns the sanitized result back to the output variable. The original unsanitized value is therefore stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected entries.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13880 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-multiple-methods-in-cleanhtml | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain multiple stored cross-site scripting (XSS) vulnerabilities caused by a bug in the cleanhtml() function (/var/ipfire/header.pl) that fails to apply HTML-entity encoding to user input. When an authenticated user submits data to affected endpoints - for example, POST /cgi-bin/wakeonlan.cgi (CLIENT_COMMENT), /cgi-bin/dhcp.cgi (ADVOPT_DATA, FIX_REMARK, FIX_FILENAME, FIX_ROOTPATH), /cgi-bin/connscheduler.cgi (ACTION_COMMENT), /cgi-bin/dnsforward.cgi (REMARK), /cgi-bin/vpnmain.cgi (REMARK), or /cgi-bin/dns.cgi (REMARK) - the application calls escape() and HTML::Entities::encode_entities() but never assigns the sanitized result back to the output variable. The original unsanitized value is therefore stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected entries."
}
],
"id": "CVE-2025-34305",
"lastModified": "2025-11-03T17:01:29.890",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.760",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13880"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-multiple-methods-in-cleanhtml"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34301
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:00
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code into the COUNTRY_CODE parameter when creating a location group. When a user adds a new location group, the application issues an HTTP POST request with the ACTION parameter set to savelocationgrp, and the value of the COUNTRY_CODE parameter determines the flag displayed for that group. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing malicious scripts to be executed in the context of other users viewing the affected page.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13876 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-location-group-creation | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code into the COUNTRY_CODE parameter when creating a location group. When a user adds a new location group, the application issues an HTTP POST request with the ACTION parameter set to savelocationgrp, and the value of the COUNTRY_CODE parameter determines the flag displayed for that group. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing malicious scripts to be executed in the context of other users viewing the affected page."
}
],
"id": "CVE-2025-34301",
"lastModified": "2025-11-03T17:00:46.467",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.310",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13876"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-location-group-creation"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34304
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13879 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-sqli-via-openvpn-connection-logs | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause\u00a0without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database."
}
],
"id": "CVE-2025-34304",
"lastModified": "2025-11-03T17:01:19.933",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.647",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13879"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-sqli-via-openvpn-connection-logs"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34307
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13882 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-country-search | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings."
}
],
"id": "CVE-2025-34307",
"lastModified": "2025-11-03T17:01:43.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.973",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13882"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-country-search"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34302
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the PROT parameter when creating a new service. When a user adds a service, the application issues an HTTP POST request with the ACTION parameter set to saveservice, and the protocol type is specified in the PROT parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing injected scripts to execute in the context of other users viewing the affected service entry.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13877 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-service-creation | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the PROT parameter when creating a new service. When a user adds a service, the application issues an HTTP POST request with the ACTION parameter set to saveservice, and the protocol type is specified in the PROT parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing injected scripts to execute in the context of other users viewing the affected service entry."
}
],
"id": "CVE-2025-34302",
"lastModified": "2025-11-03T17:01:01.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.433",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13877"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-service-creation"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-34303
Vulnerability from fkie_nvd - Published: 2025-10-28 15:16 - Updated: 2025-11-03 17:01
Severity ?
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the IGNORE_ENTRY_REMARK parameter when adding a whitelisted host. When a whitelisted host is added, an HTTP POST request is sent to the Request-URI /cgi-bin/ids.cgi and the remark for the entry is provided in the IGNORE_ENTRY_REMARK parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing injected scripts to execute in the context of other users who view the affected whitelist entry.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://bugzilla.ipfire.org/show_bug.cgi?id=13878 | Issue Tracking, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released | Release Notes | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/ipfire-stored-xss-via-whitelisted-host-creation | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ipfire | ipfire | * | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 | |
| ipfire | ipfire | 2.29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A",
"versionEndExcluding": "2.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*",
"matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*",
"matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*",
"matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*",
"matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*",
"matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*",
"matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*",
"matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*",
"matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*",
"matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*",
"matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*",
"matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update194:*:*:*:*:*:*",
"matchCriteriaId": "A4ADE9ED-675A-4577-AF4A-047B4D7D8E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update195:*:*:*:*:*:*",
"matchCriteriaId": "3FA0F87A-3926-4B10-97C8-12EBFD9454D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update196:*:*:*:*:*:*",
"matchCriteriaId": "0E2F1488-B8FA-4BFF-81B9-308E0C462B47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update197:*:*:*:*:*:*",
"matchCriteriaId": "3480B74D-D516-4A8C-AAA3-C7990FEA345D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the IGNORE_ENTRY_REMARK parameter when adding a whitelisted host. When a whitelisted host is added, an HTTP POST request is sent to the Request-URI /cgi-bin/ids.cgi and the remark for the entry is provided in the IGNORE_ENTRY_REMARK parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing injected scripts to execute in the context of other users who view the affected whitelist entry."
}
],
"id": "CVE-2025-34303",
"lastModified": "2025-11-03T17:01:07.687",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-10-28T15:16:10.540",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13878"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Release Notes"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-whitelisted-host-creation"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
CVE-2025-34311 (GCVE-0-2025-34311)
Vulnerability from cvelistv5 – Published: 2025-10-28 14:43 – Updated: 2025-10-28 15:16
VLAI?
Title
IPFire < v2.29 Command Injection via Proxy Report Creation
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:15:44.775017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:16:34.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/calamaris.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:43:31.324Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13886"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Command Injection via Proxy Report Creation",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34311",
"datePublished": "2025-10-28T14:43:31.324Z",
"dateReserved": "2025-04-15T19:15:22.583Z",
"dateUpdated": "2025-10-28T15:16:34.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34312 (GCVE-0-2025-34312)
Vulnerability from cvelistv5 – Published: 2025-10-28 14:37 – Updated: 2025-10-28 15:17
VLAI?
Title
IPFire < v2.29 Command Injection via URL Filter Blacklist
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:16:52.840126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:17:00.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/urlfilter.cgi"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the \u0027nobody\u0027 user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the \u0027nobody\u0027 user.\u003cbr\u003e"
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the \u0027nobody\u0027 user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the \u0027nobody\u0027 user."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:43:48.395Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13887"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blacklist"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Command Injection via URL Filter Blacklist",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34312",
"datePublished": "2025-10-28T14:37:47.417Z",
"dateReserved": "2025-04-15T19:15:22.583Z",
"dateUpdated": "2025-10-28T15:17:00.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34304 (GCVE-0-2025-34304)
Vulnerability from cvelistv5 – Published: 2025-10-28 14:37 – Updated: 2025-10-28 15:18
VLAI?
Title
IPFire < v2.29 SQL Injection via OpenVPN Connection Logs
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:17:14.988671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:18:27.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/ovpnclients.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the \u003ccode\u003eCONNECTION_NAME\u003c/code\u003e parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP \u003ccode\u003ePOST\u003c/code\u003e request to the Request-URI \u003ccode\u003e/cgi-bin/logs.cgi/ovpnclients.dat\u003c/code\u003e and inserts the value of the \u003ccode\u003eCONNECTION_NAME\u003c/code\u003e parameter directly into the \u003ccode\u003eWHERE\u003c/code\u003e clause\u0026nbsp;without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database."
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause\u00a0without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:37:29.929Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13879"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-sqli-via-openvpn-connection-logs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 SQL Injection via OpenVPN Connection Logs",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34304",
"datePublished": "2025-10-28T14:37:29.929Z",
"dateReserved": "2025-04-15T19:15:22.582Z",
"dateUpdated": "2025-10-28T15:18:27.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34307 (GCVE-0-2025-34307)
Vulnerability from cvelistv5 – Published: 2025-10-28 14:37 – Updated: 2025-10-28 15:18
VLAI?
Title
IPFire < v2.29 Stored XSS via Default Country Search
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:17:22.520438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:18:44.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/firewalllogcountry.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings."
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:37:12.722Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13882"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-country-search"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Stored XSS via Default Country Search",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34307",
"datePublished": "2025-10-28T14:37:12.722Z",
"dateReserved": "2025-04-15T19:15:22.582Z",
"dateUpdated": "2025-10-28T15:18:44.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34306 (GCVE-0-2025-34306)
Vulnerability from cvelistv5 – Published: 2025-10-28 14:36 – Updated: 2025-10-28 15:18
VLAI?
Title
IPFire < v2.29 Stored XSS via Default IP Search Value
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:17:42.915656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:18:55.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/firewalllogip.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page."
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:36:54.996Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13881"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-ip-search-value"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Stored XSS via Default IP Search Value",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34306",
"datePublished": "2025-10-28T14:36:54.996Z",
"dateReserved": "2025-04-15T19:15:22.582Z",
"dateUpdated": "2025-10-28T15:18:55.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34308 (GCVE-0-2025-34308)
Vulnerability from cvelistv5 – Published: 2025-10-28 14:36 – Updated: 2025-10-28 15:19
VLAI?
Title
IPFire < v2.29 Stored XSS via Default Time Sync
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:17:58.291260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:19:08.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/time.cgi"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page."
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:36:37.471Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13883"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-time-sync"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Stored XSS via Default Time Sync",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34308",
"datePublished": "2025-10-28T14:36:37.471Z",
"dateReserved": "2025-04-15T19:15:22.582Z",
"dateUpdated": "2025-10-28T15:19:08.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34317 (GCVE-0-2025-34317)
Vulnerability from cvelistv5 – Published: 2025-10-28 14:36 – Updated: 2025-10-28 15:19
VLAI?
Title
IPFire < v2.29 Stored XSS via DNS Creation (dns.cgi)
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:18:10.938485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:19:29.398Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/dns.cgi"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration.\u003cbr\u003e"
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:36:00.558Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13892"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dns-settings-dns-cgi"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Stored XSS via DNS Creation (dns.cgi)",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34317",
"datePublished": "2025-10-28T14:36:00.558Z",
"dateReserved": "2025-04-15T19:15:22.584Z",
"dateUpdated": "2025-10-28T15:19:29.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34311 (GCVE-0-2025-34311)
Vulnerability from nvd – Published: 2025-10-28 14:43 – Updated: 2025-10-28 15:16
VLAI?
Title
IPFire < v2.29 Command Injection via Proxy Report Creation
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:15:44.775017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:16:34.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/calamaris.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user \u0027nobody\u0027 via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the \u0027nobody\u0027 user."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:43:31.324Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13886"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Command Injection via Proxy Report Creation",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34311",
"datePublished": "2025-10-28T14:43:31.324Z",
"dateReserved": "2025-04-15T19:15:22.583Z",
"dateUpdated": "2025-10-28T15:16:34.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34312 (GCVE-0-2025-34312)
Vulnerability from nvd – Published: 2025-10-28 14:37 – Updated: 2025-10-28 15:17
VLAI?
Title
IPFire < v2.29 Command Injection via URL Filter Blacklist
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:16:52.840126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:17:00.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/urlfilter.cgi"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the \u0027nobody\u0027 user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the \u0027nobody\u0027 user.\u003cbr\u003e"
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the \u0027nobody\u0027 user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the \u0027nobody\u0027 user."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:43:48.395Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13887"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blacklist"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Command Injection via URL Filter Blacklist",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34312",
"datePublished": "2025-10-28T14:37:47.417Z",
"dateReserved": "2025-04-15T19:15:22.583Z",
"dateUpdated": "2025-10-28T15:17:00.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34304 (GCVE-0-2025-34304)
Vulnerability from nvd – Published: 2025-10-28 14:37 – Updated: 2025-10-28 15:18
VLAI?
Title
IPFire < v2.29 SQL Injection via OpenVPN Connection Logs
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:17:14.988671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:18:27.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/ovpnclients.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the \u003ccode\u003eCONNECTION_NAME\u003c/code\u003e parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP \u003ccode\u003ePOST\u003c/code\u003e request to the Request-URI \u003ccode\u003e/cgi-bin/logs.cgi/ovpnclients.dat\u003c/code\u003e and inserts the value of the \u003ccode\u003eCONNECTION_NAME\u003c/code\u003e parameter directly into the \u003ccode\u003eWHERE\u003c/code\u003e clause\u0026nbsp;without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database."
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a SQL injection vulnerability that allows an authenticated attacker to manipulate the SQL query used when viewing OpenVPN connection logs via the CONNECTION_NAME parameter. When viewing a range of OpenVPN connection logs, the application issues an HTTP POST request to the Request-URI /cgi-bin/logs.cgi/ovpnclients.dat and inserts the value of the CONNECTION_NAME parameter directly into the WHERE clause\u00a0without proper sanitization or parameterization. The unsanitized value can alter the executed query and be used to disclose sensitive information from the database."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:37:29.929Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13879"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-sqli-via-openvpn-connection-logs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 SQL Injection via OpenVPN Connection Logs",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34304",
"datePublished": "2025-10-28T14:37:29.929Z",
"dateReserved": "2025-04-15T19:15:22.582Z",
"dateUpdated": "2025-10-28T15:18:27.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34307 (GCVE-0-2025-34307)
Vulnerability from nvd – Published: 2025-10-28 14:37 – Updated: 2025-10-28 15:18
VLAI?
Title
IPFire < v2.29 Stored XSS via Default Country Search
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:17:22.520438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:18:44.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/firewalllogcountry.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings."
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the firewall country search defaults. When a user updates the default values for the firewall country search, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogcountry.dat and the default number of countries to display is provided in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected firewall country search settings."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:37:12.722Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13882"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-country-search"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Stored XSS via Default Country Search",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34307",
"datePublished": "2025-10-28T14:37:12.722Z",
"dateReserved": "2025-04-15T19:15:22.582Z",
"dateUpdated": "2025-10-28T15:18:44.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34306 (GCVE-0-2025-34306)
Vulnerability from nvd – Published: 2025-10-28 14:36 – Updated: 2025-10-28 15:18
VLAI?
Title
IPFire < v2.29 Stored XSS via Default IP Search Value
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:17:42.915656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:18:55.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/logs.cgi/firewalllogip.dat"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page."
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:36:54.996Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13881"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-ip-search-value"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Stored XSS via Default IP Search Value",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34306",
"datePublished": "2025-10-28T14:36:54.996Z",
"dateReserved": "2025-04-15T19:15:22.582Z",
"dateUpdated": "2025-10-28T15:18:55.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34308 (GCVE-0-2025-34308)
Vulnerability from nvd – Published: 2025-10-28 14:36 – Updated: 2025-10-28 15:19
VLAI?
Title
IPFire < v2.29 Stored XSS via Default Time Sync
Summary
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IPFire.org | IPFire |
Affected:
0 , < 2.29 (Core Update 198)
(custom)
|
Credits
Alex Williams from Pellera Technologies
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-28T15:17:58.291260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T15:19:08.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"/cgi-bin/time.cgi"
],
"product": "IPFire",
"vendor": "IPFire.org",
"versions": [
{
"lessThan": "2.29 (Core Update 198)",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ipfire.org:ipfire:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.29_(core_update_198)",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Pellera Technologies"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u0026nbsp;a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page."
}
],
"value": "IPFire versions prior to 2.29 (Core Update 198) contain\u00a0a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T14:36:37.471Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13883"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-time-sync"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IPFire \u003c v2.29 Stored XSS via Default Time Sync",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34308",
"datePublished": "2025-10-28T14:36:37.471Z",
"dateReserved": "2025-04-15T19:15:22.582Z",
"dateUpdated": "2025-10-28T15:19:08.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}