CVE-2019-25399
IPFire 2.21 Core Update 127 Stored XSS via extrahd.cgi
CVSS Score
6.4
EPSS Score
0.0%
EPSS Percentile
0th
IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID parameters. Attackers can submit POST requests with script payloads in these parameters to execute arbitrary JavaScript in the context of authenticated administrator sessions.
| CWE | CWE-79 |
| Vendor | ipfire |
| Product | ipfire |
| Published | Feb 18, 2026 |
| Last Updated | Mar 5, 2026 |
Stay Ahead of the Next One
Get instant alerts for ipfire ipfire
Be the first to know when new medium vulnerabilities affecting ipfire ipfire are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
Ipfire / IPFire
IPFire 2.21 - Core Update 127
References
exploit-db.com: https://www.exploit-db.com/exploits/46344 ipfire.org: https://www.ipfire.org downloads.ipfire.org: https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso vulncheck.com: https://www.vulncheck.com/advisories/ipfire-core-update-stored-xss-via-extrahdcgi
Credits
Ozer Goker