Detections
Analytics

CVE-2019-25397

medium

Description

IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to execute arbitrary JavaScript in users' browsers.

References

https://www.vulncheck.com/advisories/ipfire-core-update-cross-site-scripting-via-hostsc

https://www.ipfire.org

https://www.exploit-db.com/exploits/46344

https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso

Details

Source: Mitre, NVD

Published: 2026-02-18

Updated: 2026-02-19

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 5.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Severity: Medium

EPSS

EPSS: 0.00031