CVE-2025-34318

Vulnerability

Analysis

CVE-2025-34318 is a stored cross-site scripting (XSS) vulnerability affecting IPFire versions prior to 2.29 (Core Update 198). The root cause is improper sanitization or encoding of user-supplied input in several parameters—TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD—during the creation of a new DNS entry via an HTTP POST request to /cgi-bin/dns.cgi[1][2]. The values are stored server-side without proper escaping, and later rendered in the web interface without context-aware encoding, allowing arbitrary JavaScript to execute in the browser of any user who views the affected DNS configuration[2].

Exploitation

To exploit this vulnerability, an attacker must be authenticated to the IPFire web interface. The attacker supplies malicious JavaScript payloads in any of the vulnerable parameters when adding or modifying a DNS entry. No additional privileges beyond standard user access are required[1][2]. The injected script is persisted and executed each time another administrator or user navigates to the DNS configuration page, making the attack simple to stage once authenticated access is obtained.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the security context of other users, including administrators, who view the DNS settings page. This can lead to session hijacking, credential theft, defacement of the interface, or other malicious actions performed within the victim's session[2]. The attack does not require any user interaction beyond viewing the affected page, amplifying its potential for harm in multi-user IPFire deployments.

Mitigation

The vulnerability is fixed in IPFire 2.29 (Core Update 198), which was released on October 13, 2025[1]. Administrators are strongly advised to update their installations to this version or later. No workarounds are documented; upgrading to the patched release is the only reliable mitigation[1][2].