CVE-2025-34302 is a stored cross-site scripting (XSS) vulnerability identified in IPFire, an open-source firewall distribution widely used for network security. The flaw exists in versions prior to 2.29 (Core Update 198) and stems from improper neutralization of input during web page generation, specifically related to the PROT parameter when creating a new service entry. When an authenticated user adds a service, the application sends an HTTP POST request with the ACTION parameter set to 'saveservice' and includes the protocol type in the PROT parameter. This parameter's value is stored and later rendered in the web interface without proper sanitization or encoding, allowing malicious JavaScript code to be injected and executed in the context of other users who view the affected service entry. This stored XSS can lead to session hijacking, unauthorized actions on behalf of other users, or the theft of sensitive information accessible via the web interface. The vulnerability requires the attacker to have authenticated access and some user interaction but does not require elevated privileges or user interaction beyond service creation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction required. The scope is limited with low confidentiality, integrity, and availability impacts, resulting in a medium severity score of 5.1. No public exploits have been reported yet, but the vulnerability poses a risk to environments relying on IPFire for perimeter or internal network security. The root cause is insufficient input validation and output encoding in the web interface code handling the PROT parameter. Remediation involves patching to a fixed version or applying input sanitization and output encoding to prevent script injection.

For European organizations, this vulnerability could lead to unauthorized execution of malicious scripts within the IPFire web interface, potentially compromising administrative sessions or enabling further attacks such as privilege escalation or data exfiltration. Since IPFire is often deployed in network perimeter defense roles, exploitation could undermine firewall management integrity and availability. The requirement for authenticated access limits exposure to internal or trusted users, but insider threats or compromised credentials could be leveraged. The medium severity indicates moderate risk, but critical infrastructure or organizations with strict compliance requirements may face significant operational and reputational impacts if exploited. Additionally, the vulnerability could be used as a foothold for lateral movement within networks. Organizations relying on IPFire for network security in sectors such as finance, healthcare, or government in Europe should consider this a priority vulnerability to address. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code could emerge.

1. Upgrade IPFire installations to version 2.29 (Core Update 198) or later where the vulnerability is patched. 2. If immediate upgrade is not feasible, implement strict input validation and output encoding on the PROT parameter within the web interface code to neutralize malicious scripts. 3. Restrict access to the IPFire web interface to trusted administrators only, using network segmentation and strong authentication mechanisms such as multi-factor authentication. 4. Monitor logs for unusual POST requests involving service creation or modification, especially those containing suspicious input in the PROT parameter. 5. Educate administrators about the risks of stored XSS and encourage cautious handling of service configurations. 6. Regularly audit user privileges to ensure only necessary personnel have access to create or modify services. 7. Employ web application firewalls (WAFs) or intrusion detection systems (IDS) that can detect and block XSS payloads targeting the IPFire interface. 8. Conduct internal penetration testing focusing on the firewall management interface to identify any residual or related vulnerabilities.