CVE-2025-34308
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript into the time synchronization settings page. When other users view the affected configuration page, the injected code executes in their browser context. This affects IPFire firewall administrators with access to the web interface.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers with authenticated access could perform session hijacking, modify firewall settings, or deploy additional malware through the web interface.
If Mitigated
With proper network segmentation and limited administrative access, impact would be contained to the firewall management interface only.
🎯 Exploit Status
Requires authenticated access; exploitation involves injecting JavaScript through the UPDATE_VALUE parameter in time.cgi POST requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 (Core Update 198)
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify version shows 2.29.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit access to the IPFire web interface to trusted IP addresses only through firewall rules.
🧯 If You Can't Patch
- Disable or restrict access to the time synchronization configuration page for non-essential users.
- Implement web application firewall rules to block suspicious POST requests to /cgi-bin/time.cgi containing script tags.
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface dashboard or SSH command 'cat /etc/ipfire-release'.Check Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify version is 2.29 or higher and test time synchronization page for proper input sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/time.cgi with JavaScript payloads in UPDATE_VALUE parameter
- Multiple failed authentication attempts followed by successful login and time.cgi access
Network Indicators:
- HTTP POST requests to /cgi-bin/time.cgi containing script tags or JavaScript code
SIEM Query:
source="ipfire_web_logs" AND uri="/cgi-bin/time.cgi" AND method="POST" AND (UPDATE_VALUE CONTAINS "<script>" OR UPDATE_VALUE CONTAINS "javascript:")