CVE-2025-50975

{"id": "CVE-2025-50975", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-08-26T19:15:45.073", "references": [{"url": "https://github.com/4rdr/proofs/blob/main/info/IPFire-2.29-Stored-XSS-via-Firewall.md", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/4rdr/proofs/blob/main/info/IPFire-2.29-Stored-XSS-via-Firewall.md", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "IPFire 2.29 web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr, allowing an authenticated administrator to inject persistent JavaScript. This stored XSS payload is executed whenever another admin views the firewall rules page, enabling session hijacking, unauthorized actions within the interface, or further internal pivoting. Exploitation requires only high-privilege GUI access, and the complexity of the attack is low."}, {"lang": "es", "value": "La interfaz del firewall web IPFire 2.29 (firewall.cgi) no depura varios par\u00e1metros de reglas, como PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt y tgt_addr, lo que permite que un administrador autenticado inyecte JavaScript persistente. Este payload XSS almacenado se ejecuta cada vez que otro administrador accede a la p\u00e1gina de reglas del firewall, lo que permite el secuestro de sesiones, acciones no autorizadas dentro de la interfaz o un mayor pivoteo interno. La explotaci\u00f3n solo requiere acceso a la interfaz gr\u00e1fica con privilegios altos, y la complejidad del ataque es baja."}], "lastModified": "2025-09-09T18:55:29.033", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ipfire:ipfire:2.29:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B9439E2-21E1-4248-AC20-0F7EDC356ABC"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}