CVE-2019-25397 in IPFire
Summary
by MITRE • 02/19/2026
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to execute arbitrary JavaScript in users' browsers.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/27/2026
The vulnerability identified as CVE-2019-25397 affects IPFire version 2.21 Core Update 127 and represents a critical reflected cross-site scripting flaw in the hosts.cgi script. This vulnerability stems from inadequate input validation within the web interface of the firewall system, creating a pathway for malicious actors to inject persistent script code into user browsers through carefully crafted HTTP requests. The specific parameters KEY1, IP, HOST, and DOM within the hosts.cgi script fail to properly sanitize or validate user-supplied input, allowing attackers to exploit this weakness through POST request submissions.
The technical implementation of this vulnerability aligns with CWE-79, which defines cross-site scripting as a weakness where untrusted data is sent to a user agent without proper validation or encoding. In the context of IPFire's hosts.cgi script, when users interact with the web-based administration interface to manage host entries, the application fails to implement proper input sanitization mechanisms. Attackers can construct malicious POST requests containing JavaScript payloads within the vulnerable parameters, which are then reflected back to the user's browser without adequate security measures. This creates an environment where any authenticated user who views the affected page becomes vulnerable to script execution, potentially compromising the entire browser session.
The operational impact of this vulnerability extends beyond simple script injection, as it enables attackers to perform various malicious activities within the victim's browser context. An attacker could leverage this vulnerability to steal session cookies, redirect users to malicious websites, deface web interfaces, or execute more sophisticated attacks such as credential theft or browser-based malware delivery. The reflected nature of the vulnerability means that the malicious scripts are not stored on the server but are instead executed in real-time when the affected page is loaded, making detection more challenging for network monitoring systems. Given that IPFire serves as a firewall solution, this vulnerability could potentially be exploited to compromise network security boundaries, especially if administrators or users with elevated privileges interact with the affected interface.
Mitigation strategies for CVE-2019-25397 should prioritize immediate patch application to the affected IPFire version, as this represents the most effective defense against the vulnerability. Organizations should also implement network-level protections such as web application firewalls that can detect and block suspicious POST requests containing script payloads. Input validation should be strengthened across all web interfaces to ensure proper sanitization of user-supplied data before processing. Security monitoring should include detection of unusual POST request patterns targeting the hosts.cgi script, and regular security audits should verify that all web-based administrative interfaces properly implement proper output encoding and input validation measures. The vulnerability also highlights the importance of following ATT&CK framework techniques related to web application exploitation and credential access, as reflected XSS can serve as a stepping stone for more comprehensive attacks against the target environment.