CVE-2025-34303
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript through whitelist host remarks. The injected code executes when other users view the compromised whitelist entry, potentially leading to session hijacking or administrative actions. Only IPFire installations before version 2.29 (Core Update 198) are affected.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, gain full administrative control, pivot to internal networks, or deploy malware to user browsers.
Likely Case
Attackers with authenticated access could perform session hijacking, modify firewall rules, or exfiltrate sensitive configuration data.
If Mitigated
With proper access controls and monitoring, impact is limited to authenticated user compromise without lateral movement.
🎯 Exploit Status
Exploitation requires authenticated access to the web interface; attacker must have permissions to modify IDS/IPS whitelist entries.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 (Core Update 198)
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify version shows 2.29.
🔧 Temporary Workarounds
Restrict whitelist modification permissions
allLimit which authenticated users can modify IDS/IPS whitelist entries to reduce attack surface.
Implement web application firewall rules
allAdd WAF rules to block JavaScript injection in IGNORE_ENTRY_REMARK parameter.
🧯 If You Can't Patch
- Disable IDS/IPS whitelist functionality if not required
- Implement strict input validation for IGNORE_ENTRY_REMARK parameter at network perimeter
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface dashboard or SSH command: cat /etc/ipfire-releaseCheck Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify version is 2.29 or later; test by attempting XSS payload in whitelist remark field (in test environment only).📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/ids.cgi with JavaScript patterns in parameters
- Multiple whitelist entry modifications from single user
Network Indicators:
- HTTP POST to /cgi-bin/ids.cgi with script tags or JavaScript in IGNORE_ENTRY_REMARK parameter
SIEM Query:
source="ipfire_web_logs" AND uri="/cgi-bin/ids.cgi" AND (method="POST") AND (param="IGNORE_ENTRY_REMARK") AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")