CVE-2025-34301
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript into location group configurations. When other users view the affected page, the script executes in their browser context. Only IPFire firewall administrators with location group creation privileges are affected.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious administrator could steal session cookies, perform actions as other users, or redirect users to malicious sites, potentially compromising the entire firewall management interface.
Likely Case
An attacker with valid credentials could perform session hijacking, modify firewall settings, or deploy backdoors through the web interface.
If Mitigated
With proper access controls and network segmentation, impact is limited to the management interface with no direct access to underlying systems.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the web interface. No public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 (Core Update 198)
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify version shows 2.29.
🔧 Temporary Workarounds
Restrict Location Group Access
allLimit location group creation/modification to trusted administrators only.
Input Validation via WAF
allDeploy web application firewall rules to block XSS payloads in COUNTRY_CODE parameter.
🧯 If You Can't Patch
- Restrict web interface access to trusted IP addresses only using firewall rules.
- Implement strict session management and regularly rotate administrator credentials.
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface dashboard or SSH command: cat /etc/ipfire-releaseCheck Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Confirm version is 2.29 or higher and test location group creation with XSS payloads that should be sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/locationgrp.cgi with ACTION=savelocationgrp containing script tags in COUNTRY_CODE parameter
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- HTTP POST requests containing JavaScript payloads in parameters
- Unusual outbound connections from firewall management interface
SIEM Query:
source="ipfire_web_logs" AND uri="/cgi-bin/locationgrp.cgi" AND method="POST" AND (param="COUNTRY_CODE" AND value CONTAINS "<script>" OR value CONTAINS "javascript:")