IPFire Stored Cross-Site Scripting Vulnerability in cleanhtml() Function

A stored cross-site scripting vulnerability has been identified in IPFire versions prior to 2.29 (Core Update 198). This issue arises from the cleanhtml() function in /var/ipfire/header.pl, which improperly sanitizes user input by failing to apply HTML-entity encoding. As a result, when an authenticated user submits data to certain endpoints, the unsanitized input is stored and later displayed in the web interface, allowing injected scripts to execute in the context of other users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users viewing the affected entries.

Reproduction

To reproduce this vulnerability, an authenticated user can submit data to one of the affected endpoints, such as /cgi-bin/wakeonlan.cgi or /cgi-bin/dhcp.cgi. The submitted data should include a script payload. Once the data is saved, the injected script will execute when the entry is viewed by another user.

Remediation

Users can update to IPFire 2.29 (Core Update 198) to address this vulnerability.