CVE-2025-34310

Name of the Vulnerable Software and Affected Versions IPFire versions prior to 2.29 (Core Update 198)

Description The software contains a stored cross-site scripting (XSS) issue that allows an authenticated attacker to inject arbitrary JavaScript code. This is achieved by manipulating the INC SPD, OUT SPD, DEFCLASS INC, and DEFCLASS OUT parameters when updating Quality of Service (QoS) settings. The application sends an HTTP POST request to the /cgi-bin/qos.cgi endpoint with these parameters. The values are stored and displayed in the web interface without sufficient sanitization, enabling script execution in the context of other users.

Recommendations Update to version 2.29 (Core Update 198) or later.