Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Ipfire Subscribe
Total 7 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-36368 1 Ipfire 1 Ipfire 2022-10-25 N/A 4.8 MEDIUM
Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script.
CVE-2021-33393 1 Ipfire 1 Ipfire 2022-07-12 9.0 HIGH 8.8 HIGH
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
CVE-2020-19204 1 Ipfire 1 Ipfire 2022-04-29 3.5 LOW 5.4 MEDIUM
An authenticated Stored Cross-Site Scriptiong (XSS) vulnerability exists in Lightning Wire Labs IPFire 2.21 (x86_64) - Core Update 130 in the "routing.cgi" Routing Table Entries via the "Remark" text box or "remark" parameter. It allows an authenticated WebGUI user to execute Stored Cross-site Scripting in the Routing Table Entries.
CVE-2020-21142 1 Ipfire 1 Ipfire 2021-07-01 4.3 MEDIUM 6.1 MEDIUM
Cross Site Scripting (XSS) vulnerabilty in IPFire 2.23 via the IPfire web UI in the mail.cgi.
CVE-2020-19202 1 Ipfire 1 Ipfire 2021-06-22 3.5 LOW 5.4 MEDIUM
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges to execute Stored Cross-site Scripting in the Captive Portal page.
CVE-2017-9757 1 Ipfire 1 Ipfire 2019-10-02 6.5 MEDIUM 8.8 HIGH
IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF.
CVE-2018-16232 1 Ipfire 1 Ipfire 2019-10-02 6.5 MEDIUM 8.8 HIGH
An authenticated command injection vulnerability exists in IPFire Firewall before 2.21 Core Update 124 in backup.cgi. This allows an authenticated user with privileges for the affected page to execute arbitrary commands.