CVE-2025-50974

Name of the Vulnerable Software and Affected Versions: IPFire version 2.29

Description: The Calamaris log exporter CGI script (/cgi-bin/logs.cgi/calamaris.dat) does not properly sanitize user-supplied input before using it in shell commands. This allows a remote, unauthenticated attacker to inject arbitrary OS commands by embedding shell metacharacters in the following parameters: BYTE UNIT, DAY BEGIN, DAY END, HIST LEVEL, MONTH BEGIN, MONTH END, NUM CONTENT, NUM DOMAINS, NUM HOSTS, NUM URLS, PERF INTERVAL, YEAR BEGIN, and YEAR END.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.