CVE-2025-34302

28.10.2025, 15:16

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the PROT parameter when creating a new service. When a user adds a service, the application issues an HTTP POST request with the ACTION parameter set to saveservice, and the protocol type is specified in the PROT parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing injected scripts to execute in the context of other users viewing the affected service entry.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
VulnCheck	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Vendor	Product	Version
ipfire	ipfire	𝑥 < 2.29
ipfire	ipfire	2.29:core_update183
ipfire	ipfire	2.29:core_update184
ipfire	ipfire	2.29:core_update185
ipfire	ipfire	2.29:core_update186
ipfire	ipfire	2.29:core_update187
ipfire	ipfire	2.29:core_update188
ipfire	ipfire	2.29:core_update189
ipfire	ipfire	2.29:core_update190
ipfire	ipfire	2.29:core_update191
ipfire	ipfire	2.29:core_update192
ipfire	ipfire	2.29:core_update193
ipfire	ipfire	2.29:core_update194
ipfire	ipfire	2.29:core_update195
ipfire	ipfire	2.29:core_update196
ipfire	ipfire	2.29:core_update197

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://bugzilla.ipfire.org/show_bug.cgi?id=13877

https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released

https://www.vulncheck.com/advisories/ipfire-stored-xss-via-service-creation