CVE-2025-34311

Name of the Vulnerable Software and Affected Versions IPFire versions prior to 2.29 (Core Update 198)

Description IPFire versions prior to 2.29 (Core Update 198) contain a command injection issue. An authenticated attacker can execute arbitrary commands as the 'nobody' user through multiple parameters when creating a Proxy report. The application issues an HTTP POST request to the /cgi-bin/logs.cgi/calamaris.dat endpoint and reads values from parameters including DAY BEGIN, MONTH BEGIN, YEAR BEGIN, DAY END, MONTH END, YEAR END, NUM DOMAINS, PERF INTERVAL, NUM CONTENT, HIST LEVEL, NUM HOSTS, NUM URLS, and BYTE UNIT. These parameters are directly interpolated into a shell invocation of the mkreport helper without proper sanitization, allowing for the injection of shell metacharacters and execution of arbitrary commands with 'nobody' user privileges.

Recommendations Update to IPFire version 2.29 (Core Update 198) or later.