CVE-2025-34306 is a stored cross-site scripting (XSS) vulnerability identified in IPFire firewall software versions prior to 2.29 (Core Update 198). The vulnerability arises from improper neutralization of input during web page generation, specifically related to the 'pienumber' parameter used when updating the default number of IP addresses in firewall IP search values. When an authenticated user submits an HTTP POST request to /cgi-bin/logs.cgi/firewalllogip.dat with a crafted 'pienumber' value containing malicious JavaScript, this input is stored without proper sanitization or encoding. Subsequently, when other users access the affected web interface page, the malicious script executes in their browser context. This can lead to session hijacking, unauthorized actions, or information disclosure within the administrative interface. The vulnerability requires the attacker to have authenticated access and involves user interaction to trigger the malicious payload. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low attack complexity, no attack or user interaction needed for exploitation, and limited scope impact. No public exploits have been reported yet, but the vulnerability poses a moderate risk given the administrative context of the affected interface.

For European organizations, this vulnerability could lead to unauthorized execution of scripts within the IPFire administrative interface, potentially enabling attackers to hijack sessions, manipulate firewall configurations, or gather sensitive information. Given IPFire's role as a firewall and network security appliance, compromise of its management interface could undermine perimeter defenses and lead to broader network exposure. Organizations in sectors with stringent security requirements, such as finance, healthcare, and critical infrastructure, may face increased risk of operational disruption or data breaches. The medium severity rating reflects the need for authentication and user interaction, which somewhat limits exploitation but does not eliminate risk, especially in environments with multiple administrators or less stringent access controls. Additionally, the stored nature of the XSS means multiple users could be affected once the malicious payload is injected.

Organizations should upgrade IPFire installations to version 2.29 (Core Update 198) or later, where this vulnerability is addressed. If immediate patching is not feasible, administrators should restrict access to the IPFire web interface to trusted networks and users only, employing strong authentication mechanisms such as multi-factor authentication. Input validation and output encoding should be enforced at the application level to prevent injection of malicious scripts. Regularly auditing firewall logs and configuration changes can help detect suspicious activity. Additionally, educating administrators about the risks of stored XSS and cautious handling of input parameters can reduce the likelihood of exploitation. Network segmentation and limiting administrative interface exposure to the internet further reduce attack surface.