Ipfire

Ipfire

34 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2025-34314

  • EPSS 0.05%
  • Veröffentlicht 28.10.2025 14:33:09
  • Zuletzt bearbeitet 03.11.2025 17:02:38

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SRC, DST, and COMMENT parameters when creating a time cons...

5.4

CVE-2025-34313

  • EPSS 0.05%
  • Veröffentlicht 28.10.2025 14:32:47
  • Zuletzt bearbeitet 03.11.2025 17:02:29

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the QUOTA_USERS parameter when creating a user quota rule. Whe...

5.4

CVE-2025-34303

  • EPSS 0.05%
  • Veröffentlicht 28.10.2025 14:32:25
  • Zuletzt bearbeitet 03.11.2025 17:01:07

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the IGNORE_ENTRY_REMARK parameter when adding a whitelisted ho...

6.1

CVE-2025-50976

Exploit
  • EPSS 0.03%
  • Veröffentlicht 26.08.2025 00:00:00
  • Zuletzt bearbeitet 09.09.2025 18:55:44

IPFire 2.29 DNS management interface (dns.cgi) fails to properly sanitize user-supplied input in the NAMESERVER, REMARK, and TLS_HOSTNAME query parameters, resulting in a reflected cross-site scripting (XSS) vulnerability.

5.4

CVE-2025-50975

Exploit
  • EPSS 0.03%
  • Veröffentlicht 26.08.2025 00:00:00
  • Zuletzt bearbeitet 09.09.2025 18:55:29

IPFire 2.29 web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr, allowing an authenticated administrator to inject pers...

6.5

CVE-2025-50974

Exploit
  • EPSS 0.08%
  • Veröffentlicht 26.08.2025 00:00:00
  • Zuletzt bearbeitet 09.09.2025 18:56:04

The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS comm...

8.7

CVE-2025-34116

  • EPSS 56.87%
  • Veröffentlicht 15.07.2025 13:15:32
  • Zuletzt bearbeitet 15.07.2025 20:07:28

A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the 'proxy.cgi' CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form field...

4.8

CVE-2022-36368

  • EPSS 0.24%
  • Veröffentlicht 24.10.2022 14:15:50
  • Zuletzt bearbeitet 07.05.2025 15:15:52

Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script.

5.4

CVE-2020-19204

  • EPSS 0.32%
  • Veröffentlicht 12.07.2021 16:15:08
  • Zuletzt bearbeitet 21.11.2024 05:09:01

An authenticated Stored Cross-Site Scriptiong (XSS) vulnerability exists in Lightning Wire Labs IPFire 2.21 (x86_64) - Core Update 130 in the "routing.cgi" Routing Table Entries via the "Remark" text box or "remark" parameter. It allows an authentica...

6.1

CVE-2020-21142

Exploit
  • EPSS 0.28%
  • Veröffentlicht 28.06.2021 20:15:07
  • Zuletzt bearbeitet 21.11.2024 05:12:27

Cross Site Scripting (XSS) vulnerabilty in IPFire 2.23 via the IPfire web UI in the mail.cgi.