CVE-2025-34301

  • Published: 1761664570
  • Last modified: 1761664570

CVE-2025-34301 — IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code into the COUNTRY_CODE parameter when creating a location group. When a user adds a new location group, the application issues an HTTP POST request with…

Related CVE by CWE

No closely related CVE found.

Risk snapshot

EPSS: n/a   |   KEV: not listed

Related CVE by CWE

No related CWE found.

Top CVE for Vendor

No vendor taxonomy on this entry.

Recently Exploited Similar Vulnerabilities

No recent KEV-listed items for this vendor/product.

IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code into the COUNTRY_CODE parameter when creating a location group. When a user adds a new location group, the application issues an HTTP POST request with the ACTION parameter set to savelocationgrp, and the value of the COUNTRY_CODE parameter determines the flag displayed for that group. The value of this parameter is stored and later rendered in the web interface without proper sanitization or encoding, allowing malicious scripts to be executed in the context of other users viewing the affected page.

🧠 Explainer: What this vulnerability means

Summary: The issue in the product by the vendor (CWE: unspecified) may enable attacks.

Impact: Potential impact includes remote code execution, data theft, or denial of service.

Mitigation: Until patched, restrict exposure, enforce least privilege, and monitor for suspicious activity.

No vendor/product data yet.

No explicit mitigation/advisory links found in references.