CVE-2019-25399

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions IPFire version 2.21 Core Update 127

Description The software contains multiple stored cross-site scripting issues in the extrahd.cgi script. Attackers can inject malicious scripts through the FS, PATH, and UUID parameters. By submitting POST requests with script payloads in these parameters, attackers can execute arbitrary JavaScript within authenticated administrator sessions. The vulnerable parameters are FS, PATH, and UUID. The affected API endpoint is extrahd.cgi.

Recommendations Apply updates to address the issue in IPFire version 2.21 Core Update 127.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-25399

Affected Products

Ipfire

CVE-2019-25399

Weakness Enumeration

Related Identifiers

Affected Products

References · 6