IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to in

APPLICATION

28-10-2025 23:08

CVE-2025-34317 Vulnerabilidad documentada

Sin puntuación

Tags

#xss

#site

#cross

#web

#javascript

#java

#cross-site

#config

#add

#application

#vulnerability

#cross-site scripting

#affected

#authenticated

#arbitrary

#scripting

#issue

#inject

#execute

#dns

#configuration

#allow

#attack

#affect

Descripción

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When user adds entry, application issues HTTP POST request /cgi-bin/dns.cgi and TLS hostname is provided in parameter. The value of this later rendered web interface without proper sanitation or encoding, allowing injected scripts execute context other users who view affected configuration.

https://bugzilla.ipfire.org/show_bug.cgi?id=13892

https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released

https://www.vulncheck.com/advisories/ipfire-stored-xss-via-dns-settings-dns-cgi

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-34317

Resultados similares

Coincidentes en almenos en 50% de los tags

29-10-2025
Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack Thre...
Ver información

28-10-2025 CVE-2025-34316
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vu...
Ver información