CVE-2019-25400

Name of the Vulnerable Software and Affected Versions IPFire version 2.21 Core Update 127

Description The software contains multiple reflected cross-site scripting issues in the fwhosts.cgi script. Attackers can inject malicious scripts through several parameters, including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp name, remark, SRV NAME, SRV PORT, SRVGRP NAME, SRVGRP REMARK, and updatesrvgrp. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated users' browsers.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all input to the fwhosts.cgi script, especially the parameters HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grp name, remark, SRV NAME, SRV PORT, SRVGRP NAME, SRVGRP REMARK, and updatesrvgrp.