IPFire Stored Cross-Site Scripting Vulnerability in Time Synchronization Settings

A stored cross-site scripting vulnerability has been identified in IPFire versions prior to 2.29 (Core Update 198). This vulnerability allows authenticated attackers to inject arbitrary JavaScript into the web interface. The issue arises when the default time synchronization settings are updated, as the injected scripts are executed in the context of users viewing the affected Time Server configuration page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users who view the affected page.

Reproduction

To reproduce this vulnerability, an authenticated user can update the default time synchronization settings in IPFire versions prior to 2.29 (Core Update 198). During this process, the user can inject JavaScript into the UPDATE_VALUE parameter, which is sent via an HTTP POST request to /cgi-bin/time.cgi. The injected script will be executed when the Time Server configuration page is viewed.

Remediation

Users can update to IPFire 2.29 (Core Update 198) to address this vulnerability.