CVE-2025-34313
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript through user quota rules. The injected code executes when other users view the affected quota entries, potentially compromising their sessions or performing unauthorized actions. This affects all IPFire installations running versions before 2.29 Core Update 198.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform administrative actions as other users, redirect users to malicious sites, or install backdoors through the web interface.
Likely Case
Authenticated users with quota management privileges could perform session hijacking against other users, modify firewall rules, or exfiltrate sensitive configuration data.
If Mitigated
With proper network segmentation and limited user privileges, impact would be contained to the web interface with no access to underlying systems.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the web interface. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 (Core Update 198)
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Disable User Quota Management
allRemove quota management permissions from non-administrative users to prevent exploitation.
Implement Web Application Firewall
allDeploy a WAF with XSS protection rules to block malicious payloads.
🧯 If You Can't Patch
- Restrict access to the web interface to trusted networks only
- Implement strict user privilege separation and audit all quota rule changes
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface dashboard or SSH command: cat /etc/ipfire-releaseCheck Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify version shows 2.29 or Core Update 198. Test by attempting to inject basic XSS payload in QUOTA_USERS field.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/urlfilter.cgi with MODE=USERQUOTA containing script tags
- Multiple quota rule creations/modifications by single user
Network Indicators:
- HTTP traffic to IPFire web interface containing JavaScript in POST parameters
SIEM Query:
source="ipfire.log" AND (uri="/cgi-bin/urlfilter.cgi" AND method="POST" AND params CONTAINS "<script" OR params CONTAINS "javascript:")