PT-2025-44161 · Ipfire · Ipfire
Alex Williams
·
Published
2025-10-28
·
Updated
2025-10-28
·
CVE-2025-34302
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
IPFire versions prior to 2.29 (Core Update 198)
Description
IPFire versions prior to 2.29 (Core Update 198) are susceptible to a stored cross-site scripting (XSS) issue. An authenticated attacker can inject arbitrary JavaScript code through the
PROT parameter when creating a new service. The application sends an HTTP POST request with the ACTION parameter set to saveservice, and the protocol type is specified in the PROT parameter. The value of this parameter is stored and rendered in the web interface without proper sanitization, enabling injected scripts to execute in the context of other users viewing the affected service entry.Recommendations
Update to version 2.29 (Core Update 198) or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ipfire