CVE-2025-34317

28.10.2025, 15:16

IPFire versions prior to 2.29 (Core Update 198) containa stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
VulnCheck	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Vendor	Product	Version
ipfire	ipfire	𝑥 ≤ 2.29
ipfire	ipfire	2.29:core_update183
ipfire	ipfire	2.29:core_update184
ipfire	ipfire	2.29:core_update185
ipfire	ipfire	2.29:core_update186
ipfire	ipfire	2.29:core_update187
ipfire	ipfire	2.29:core_update188
ipfire	ipfire	2.29:core_update189
ipfire	ipfire	2.29:core_update190
ipfire	ipfire	2.29:core_update191
ipfire	ipfire	2.29:core_update192
ipfire	ipfire	2.29:core_update193
ipfire	ipfire	2.29:core_update194
ipfire	ipfire	2.29:core_update195
ipfire	ipfire	2.29:core_update196
ipfire	ipfire	2.29:core_update197

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://bugzilla.ipfire.org/show_bug.cgi?id=13892

https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released

https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dns-settings-dns-cgi