CVE-2019-25396

Name of the Vulnerable Software and Affected Versions IPFire version 2.21 Core Update 127

Description The software contains a reflected cross-site scripting flaw in the updatexlrator.cgi script. Attackers can inject malicious scripts through POST parameters. Specifically, crafted requests with script payloads in the MAX DISK USAGE or MAX DOWNLOAD RATE parameters can lead to the execution of arbitrary JavaScript in users' browsers. The affected API endpoint is updatexlrator.cgi. The vulnerable parameters are MAX DISK USAGE and MAX DOWNLOAD RATE.

Recommendations Update to a newer version that contains a fix for this vulnerability.