CVE-2025-34303

Name of the Vulnerable Software and Affected Versions IPFire versions prior to 2.29 (Core Update 198)

Description IPFire versions prior to 2.29 (Core Update 198) are susceptible to a stored cross-site scripting (XSS) issue. An authenticated attacker can inject arbitrary JavaScript code through the IGNORE ENTRY REMARK parameter when adding a whitelisted host. The vulnerability occurs because the value of the IGNORE ENTRY REMARK parameter, submitted via an HTTP POST request to the /cgi-bin/ids.cgi Request-URI, is stored and rendered in the web interface without sufficient sanitization or encoding. This allows injected scripts to execute within the context of other users viewing the affected whitelist entry.

Recommendations Update to version 2.29 (Core Update 198) or later.