{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.29" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update183" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update184" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update185" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update186" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update187" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update188" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update189" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update190" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update191" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update192" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update193" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update194" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update195" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update196" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "2.29-core_update197" } ] } ] } } ], "details": "IPFire versions prior to 2.29 (Core Update 198) containĀ a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.", "id": "CVE-2025-34311", "modified": "2026-03-15T13:50:36.021901643Z", "published": "2025-10-28T15:16:11.400Z", "references": [ { "type": "ADVISORY", "url": "https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released" }, { "type": "ADVISORY", "url": "https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation" }, { "type": "REPORT", "url": "https://bugzilla.ipfire.org/show_bug.cgi?id=13886" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }