ГлавнаяУязвимости → CVE-2025-34312
8.8высокая

CVE-2025-34312

Описание

IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the 'nobody' user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the 'nobody' user.

Затрагиваемое ПО
Ipfire Ipfire
CVSS
Балл8.8 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Источники
https://bugzilla.ipfire.org/show_bug.cgi?id=13887https://www.ipfire.org/blog/ipfire-2-29-core-update-198-releasedhttps://www.vulncheck.com/advisories/ipfire-command-injection-via-url-filter-blacklist