CVE-2025-34310
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript into Quality of Service settings. When other users view the compromised QoS entries, the scripts execute in their browser context. This affects all IPFire installations running versions before 2.29 Core Update 198.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers with authenticated access could hijack sessions of other users viewing QoS settings, potentially gaining elevated privileges or performing unauthorized configuration changes.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the web interface. The vulnerability is in the QoS configuration page accessible to users with appropriate permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 Core Update 198
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Disable QoS functionality
allTemporarily disable Quality of Service feature to prevent exploitation until patching
Navigate to Firewall > QoS and disable all QoS rules
Restrict web interface access
allLimit access to IPFire web interface to trusted IP addresses only
Configure firewall rules to restrict access to port 444 (HTTPS) and 4443 (HTTP)
🧯 If You Can't Patch
- Implement strict input validation for INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT parameters
- Apply output encoding when displaying QoS configuration values in the web interface
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface (System > About) or command line: 'cat /etc/ipfire-release'Check Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify version is 2.29 Core Update 198 or later. Test QoS configuration page for proper input sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/qos.cgi with JavaScript payloads in parameters
- Multiple failed authentication attempts followed by QoS configuration changes
Network Indicators:
- HTTP POST requests to QoS endpoint containing script tags or JavaScript code in parameter values
SIEM Query:
source="ipfire_web" AND uri="/cgi-bin/qos.cgi" AND (method="POST") AND (param="INC_SPD" OR param="OUT_SPD" OR param="DEFCLASS_INC" OR param="DEFCLASS_OUT") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:")