CVE-2025-34310 is a stored cross-site scripting vulnerability affecting IPFire firewall software versions prior to 2.29 (Core Update 198). The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, when an authenticated user updates Quality of Service (QoS) settings via the web interface, the application accepts parameters INC_SPD, OUT_SPD, DEFCLASS_INC, and DEFCLASS_OUT through an HTTP POST request to /cgi-bin/qos.cgi. These parameters are stored and later rendered in the web interface without proper sanitization or encoding, allowing malicious JavaScript code injected by an attacker to execute in the browsers of other users who view the affected QoS entries. This stored XSS can lead to session hijacking, credential theft, or unauthorized actions within the IPFire administrative interface. The attack requires the attacker to have authenticated access to the system, but no further user interaction is needed for the payload to execute once the malicious entry is viewed. The vulnerability has a CVSS 4.0 base score of 5.1, indicating medium severity due to network attack vector, low attack complexity, and limited scope. No public exploits or active exploitation have been reported to date. The lack of proper input validation and output encoding in the QoS management module is the root cause. This vulnerability highlights the importance of secure coding practices in network appliance management interfaces, especially those exposed to internal or external networks.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on IPFire as a perimeter firewall or internal network security appliance. Successful exploitation could allow an authenticated attacker, such as a malicious insider or a compromised user account, to execute arbitrary JavaScript in the context of other administrators or users accessing the QoS management interface. This can lead to session hijacking, unauthorized configuration changes, or further compromise of the firewall device. Given that IPFire is often used in small to medium enterprises, educational institutions, and public sector organizations across Europe, exploitation could disrupt network security controls and lead to data breaches or service interruptions. The vulnerability does not allow unauthenticated remote exploitation, limiting the attack surface, but the medium severity score reflects the risk posed by insider threats or credential compromise. Organizations with strict regulatory requirements for network security and data protection, such as those under GDPR, must consider the reputational and compliance risks associated with this vulnerability.

European organizations should immediately upgrade IPFire installations to version 2.29 (Core Update 198) or later, where this vulnerability is fixed. If immediate patching is not possible, administrators should restrict access to the QoS management interface to trusted personnel only and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Network segmentation should be applied to limit access to the IPFire web interface from untrusted networks. Additionally, monitoring and logging of administrative actions on the firewall should be enhanced to detect suspicious activity. Web application firewalls (WAFs) or intrusion detection systems (IDS) can be configured to detect and block suspicious POST requests targeting the QoS parameters. Security teams should conduct regular audits of firewall configurations and user accounts to identify unauthorized changes or access. Finally, educating administrators about the risks of stored XSS and safe handling of web interfaces can reduce the likelihood of exploitation.