Vulnerability Description
IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. Attackers can submit POST requests with script payloads in parameters like VPN_IP, DMTU, ccdname, ccdsubnet, DOVPN_SUBNET, DHCP_DOMAIN, DHCP_DNS, DHCP_WINS, ROUTES_PUSH, FRAGMENT, KEEPALIVE_1, and KEEPALIVE_2 to execute arbitrary JavaScript in administrator browsers.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ipfire | Ipfire | 2.21 |
Related Weaknesses (CWE)
References
- https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64Product
- https://www.exploit-db.com/exploits/46344ExploitThird Party AdvisoryVDB Entry
- https://www.ipfire.orgProduct
- https://www.vulncheck.com/advisories/ipfire-core-update-cross-site-scripting-viaBroken LinkThird Party Advisory
FAQ
What is CVE-2019-25398?
CVE-2019-25398 is a vulnerability with a CVSS score of 6.1 (MEDIUM). IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. Att...
How severe is CVE-2019-25398?
CVE-2019-25398 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-25398?
Check the references section above for vendor advisories and patch information. Affected products include: Ipfire Ipfire.