IPFire Update 127: Malicious Scripts Can Be Injected via Browser

Summary

Attackers can inject malicious scripts into IPFire's update process, potentially harming users' computers. This could happen if a user visits a malicious website or opens a malicious email that contains a crafted request. To stay safe, update to the latest version of IPFire as soon as possible.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
ipfire	ipfire	2.21	–

Original title

IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attack...

Original description

IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attackers can submit crafted requests with script payloads in the MAX_DISK_USAGE or MAX_DOWNLOAD_RATE parameters to execute arbitrary JavaScript in users' browsers.

nvd CVSS3.1 6.1

nvd CVSS4.0 5.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64... Product
https://www.exploit-db.com/exploits/46344 Exploit Third Party Advisory VDB Entry
https://www.ipfire.org Product
https://www.vulncheck.com/advisories/ipfire-core-update-reflected-xss-via-update... Broken Link Third Party Advisory