CVE-2025-34309 MEDIUM

CVE-2025-34309: IPFire < v2.29 Stored XSS via Dynamic DNS Host

Vendor Ipfire.org
Product IPFire
Weakness CWE-79 · XSS
Published October 28, 2025
Last update October 28, 2025
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SERVICE, LOGIN, and PASSWORD parameters when creating or editing a Dynamic DNS host. When a new Dynamic DNS host is added, the application issues an HTTP POST request to /cgi-bin/ddns.cgi and saves the values of the LOGIN, PASSWORD, and SERVICE parameters. The SERVICE value is displayed after the host entry is created, and the LOGIN and PASSWORD values are displayed when that host entry is edited. The values of these parameters are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view or edit the affected Dynamic DNS entries.

Key dates

02Disclosure timeline

October 28, 2025 CVE published
October 28, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-25704 WordPress Interactive SVG Image Map Builder Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS) CVE-2025-22806 WordPress Black Widgets For Elementor plugin <= 1.3.8 - Cross Site Scripting (XSS) vulnerability CVE-2026-26352 Smoothwall Express < 3.1 Update 13 Stored XSS in vpnmain.cgi via VPN_IP Parameter CVE-2025-40975 Multiple vulnerabilities in WorkDo products CVE-2023-48507 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)