CVE-2025-34314

Name of the Vulnerable Software and Affected Versions IPFire versions prior to 2.29 (Core Update 198)

Description The software contains a stored cross-site scripting (XSS) issue that allows an authenticated attacker to inject arbitrary JavaScript code. This is achieved by manipulating the SRC, DST, and COMMENT parameters when creating a time constraint rule. The application sends an HTTP POST request to the /cgi-bin/urlfilter.cgi endpoint with the MODE parameter set to TIMECONSTRAINT. The values provided in the SRC, DST, and COMMENT parameters are stored and displayed in the web interface without sufficient sanitization, enabling the execution of injected scripts within the context of other users viewing the affected time constraint entry.

Recommendations Update to version 2.29 (Core Update 198) or later.