Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
IPFire 2.21 Core Update 127: Malicious Scripts Can Run in Admin Sessions
CVE-2019-25399
Summary
Attackers can inject malicious scripts into the IPFire web interface, potentially taking control of administrator sessions. This could allow unauthorized access to sensitive settings. Update to the latest version of IPFire to fix this vulnerability.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ipfire | ipfire | 2.21 | – |
Original title
IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID p...
Original description
IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.
nvd CVSS3.1
6.4
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64... Product
- https://www.exploit-db.com/exploits/46344 Exploit Third Party Advisory VDB Entry
- https://www.ipfire.org Product
- https://www.vulncheck.com/advisories/ipfire-core-update-stored-xss-via-extrahdcg... Broken Link Third Party Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026