CVE-2025-34302
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript through service creation. When other users view the compromised service entry, the script executes in their browser context. Only IPFire administrators with service creation privileges are affected.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers with valid credentials could perform session hijacking, modify firewall rules, or exfiltrate sensitive configuration data from the IPFire web interface.
If Mitigated
With proper input validation and output encoding, the injected scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the IPFire web interface. The vulnerability is in the service creation functionality where PROT parameter input is not properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 (Core Update 198)
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as administrator. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify the system shows version 2.29.
🔧 Temporary Workarounds
Input Validation via Web Application Firewall
allConfigure WAF rules to block requests containing JavaScript in the PROT parameter
Restrict Service Creation Privileges
allLimit which administrators can create services to reduce attack surface
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Monitor and audit service creation logs for suspicious PROT parameter values
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface dashboard or SSH command: cat /etc/ipfire-releaseCheck Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify version shows 2.29 or higher after applying Core Update 198📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /cgi-bin/services.cgi with ACTION=saveservice containing JavaScript in PROT parameter
- Unusual service creation events from non-standard administrator accounts
Network Indicators:
- Unexpected outbound connections from IPFire web interface to external domains following service creation
SIEM Query:
source="ipfire_web_logs" AND uri="/cgi-bin/services.cgi" AND method="POST" AND params ACTION="saveservice" AND params PROT CONTAINS "<script>"