CVE-2025-34305

Name of the Vulnerable Software and Affected Versions IPFire versions prior to 2.29 (Core Update 198)

Description IPFire installations are affected by multiple stored cross-site scripting (XSS) issues. These occur because the cleanhtml() function located at /var/ipfire/header.pl does not correctly apply HTML-entity encoding to user-provided input. Specifically, after calling escape() and HTML::Entities::encode entities(), the sanitized result is not assigned back to the output variable, leaving the original, unsanitized data vulnerable. This allows malicious scripts to be stored and executed when other users view the affected entries. The following API endpoints are impacted: /cgi-bin/wakeonlan.cgi (with the CLIENT COMMENT parameter), /cgi-bin/dhcp.cgi (with the ADVOPT DATA, FIX REMARK, FIX FILENAME, and FIX ROOTPATH parameters), /cgi-bin/connscheduler.cgi (with the ACTION COMMENT parameter), /cgi-bin/dnsforward.cgi (with the REMARK parameter), /cgi-bin/vpnmain.cgi (with the REMARK parameter), and /cgi-bin/dns.cgi (with the REMARK parameter).

Recommendations Update IPFire to version 2.29 (Core Update 198) or later.