CVE-2025-34308

Name of the Vulnerable Software and Affected Versions IPFire versions prior to 2.29 (Core Update 198)

Description IPFire versions prior to 2.29 (Core Update 198) are susceptible to a stored cross-site scripting (XSS) issue. An authenticated attacker can inject arbitrary JavaScript code through the UPDATE VALUE parameter when updating the default time synchronization settings. The application sends an HTTP POST request to the /cgi-bin/time.cgi endpoint, where the UPDATE VALUE parameter is used. The value of this parameter is stored and displayed in the web interface without proper sanitization, enabling the execution of injected scripts in the context of other users viewing the Time Server configuration page.

Recommendations Update to version 2.29 (Core Update 198) or later.