Aggregates CVE and security vulnerability intelligence across all ipfire-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk cross-site scripting and vendor risk sql injection, with potential vendor impact session compromise and vendor impact data exposure across vendor surface software deployment use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-34302 | IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the PROT parameter when creating a new service. When a user adds a service, the application issues an HTTP POST request with the ACTION parameter set to saveservice, and the protocol type is specified in the PROT parameter. The value of this parameter is stored and later rendered in the web interface without pr | [email protected] | 5.1 | 0.40% | 2025-10-28 | 2025-11-03 |
| CVE-2025-34301 | IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code into the COUNTRY_CODE parameter when creating a location group. When a user adds a new location group, the application issues an HTTP POST request with the ACTION parameter set to savelocationgrp, and the value of the COUNTRY_CODE parameter determines the flag displayed for that group. The value of this parameter is st | [email protected] | 5.1 | 4.44% | 2025-10-28 | 2025-11-03 |
| CVE-2025-50975 | IPFire 2.29 web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr, allowing an authenticated administrator to inject persistent JavaScript. This stored XSS payload is executed whenever another admin views the firewall rules page, enabling session hijacking, unauthorized actions within the interface, or further internal pivoting. Exploitation requires only high-privileg | [email protected] | 5.4 | 0.28% | 2025-08-26 | 2025-09-09 |
| CVE-2025-50976 | IPFire 2.29 DNS management interface (dns.cgi) fails to properly sanitize user-supplied input in the NAMESERVER, REMARK, and TLS_HOSTNAME query parameters, resulting in a reflected cross-site scripting (XSS) vulnerability. | [email protected] | 6.1 | 0.21% | 2025-08-26 | 2025-09-09 |
| CVE-2025-50974 | The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands by embedding shell metacharacters in any of the following parameters BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, YEAR_END. | [email protected] | 6.5 | 0.37% | 2025-08-26 | 2025-09-09 |
| CVE-2022-36368 | Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script. | [email protected] | 4.8 | 0.68% | 2022-10-24 | 2025-05-07 |
| CVE-2020-19204 | An authenticated Stored Cross-Site Scriptiong (XSS) vulnerability exists in Lightning Wire Labs IPFire 2.21 (x86_64) - Core Update 130 in the "routing.cgi" Routing Table Entries via the "Remark" text box or "remark" parameter. It allows an authenticated WebGUI user to execute Stored Cross-site Scripting in the Routing Table Entries. | [email protected] | 5.4 | 0.74% | 2021-07-12 | 2024-11-21 |
| CVE-2020-21142 | Cross Site Scripting (XSS) vulnerabilty in IPFire 2.23 via the IPfire web UI in the mail.cgi. | [email protected] | 6.1 | 0.69% | 2021-06-28 | 2024-11-21 |
| CVE-2020-19202 | An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges to execute Stored Cross-site Scripting in the Captive Portal page. | [email protected] | 5.4 | 0.57% | 2021-06-17 | 2024-11-21 |
| CVE-2021-33393 | lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well. | [email protected] | 8.8 | 58.45% | 2021-06-09 | 2024-11-21 |
| CVE-2018-16232 | An authenticated command injection vulnerability exists in IPFire Firewall before 2.21 Core Update 124 in backup.cgi. This allows an authenticated user with privileges for the affected page to execute arbitrary commands. | [email protected] | 8.8 | 7.79% | 2018-10-17 | 2024-11-21 |
| CVE-2017-9757 | IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF. | [email protected] | 8.8 | 38.50% | 2017-06-19 | 2026-05-13 |