CVE-2019-25398

Name of the Vulnerable Software and Affected Versions IPFire version 2.21 Core Update 127

Description The software contains multiple cross-site scripting issues in the ovpnmain.cgi script. Attackers can inject malicious scripts through VPN configuration parameters by submitting POST requests. Specifically, attackers can leverage parameters such as VPN IP, DMTU, ccdname, ccdsubnet, DOVPN SUBNET, DHCP DOMAIN, DHCP DNS, DHCP WINS, ROUTES PUSH, FRAGMENT, KEEPALIVE 1, and KEEPALIVE 2 to execute arbitrary JavaScript in administrator browsers. The API endpoint involved is the ovpnmain.cgi script.

Recommendations Update to a newer version that contains a fix for this vulnerability.