CVE-2025-34307
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript through the firewall country search settings. The injected code executes when other users view those settings, potentially compromising their sessions or performing unauthorized actions. Only IPFire installations before version 2.29 (Core Update 198) are affected.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as other users, redirect users to malicious sites, or compromise the firewall management interface.
Likely Case
Attackers with authenticated access could perform session hijacking, modify firewall settings, or deploy additional payloads within the management interface.
If Mitigated
With proper access controls limiting authenticated users, the impact is reduced to potential session compromise among authorized users only.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable parameter; no public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 (Core Update 198)
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify version shows 2.29.
🔧 Temporary Workarounds
Restrict authenticated user access
allLimit which users have access to modify firewall country search settings to only trusted administrators.
🧯 If You Can't Patch
- Implement strict input validation on the pienumber parameter through custom web application firewall rules.
- Monitor and audit all modifications to firewall country search settings for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if IPFire version is below 2.29 by logging into web interface and viewing System > About.Check Version:
ssh root@ipfire-ip 'cat /etc/ipfire-release'Verify Fix Applied:
After updating, verify version shows 2.29 and test that script tags in pienumber parameter are properly encoded when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/logs.cgi/firewalllogcountry.dat with script tags in parameters
- Multiple failed authentication attempts followed by successful login and configuration changes
Network Indicators:
- HTTP traffic containing JavaScript payloads in POST parameters to the management interface
SIEM Query:
source="ipfire_web_logs" AND uri="/cgi-bin/logs.cgi/firewalllogcountry.dat" AND (param="pienumber" CONTAINS "<script>" OR param="pienumber" CONTAINS "javascript:")