CVE-2025-34309

Name of the Vulnerable Software and Affected Versions IPFire versions prior to 2.29 (Core Update 198)

Description The software contains a stored cross-site scripting (XSS) issue that allows an authenticated attacker to inject arbitrary JavaScript code. This is achieved by manipulating the SERVICE, LOGIN, and PASSWORD parameters when creating or editing a Dynamic DNS host. The application sends an HTTP POST request to the /cgi-bin/ddns.cgi endpoint, saving the values of these parameters. These values are then displayed without proper sanitation or encoding, enabling script execution in the context of other users viewing or editing the Dynamic DNS entries.

Recommendations Update to version 2.29 (Core Update 198) or later.