{"id":"CVE-2025-34311","details":"IPFire versions prior to 2.29 (Core Update 198) contain a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the user 'nobody' via multiple parameters when creating a Proxy report. When a user creates a Proxy report the application issues an HTTP POST to /cgi-bin/logs.cgi/calamaris.dat and reads the values of DAY_BEGIN, MONTH_BEGIN, YEAR_BEGIN, DAY_END, MONTH_END, YEAR_END, NUM_DOMAINS, PERF_INTERVAL, NUM_CONTENT, HIST_LEVEL, NUM_HOSTS, NUM_URLS, and BYTE_UNIT, which are interpolated directly into the shell invocation of the mkreport helper. Because these parameters are never sanitized for improper characters or constructs, a crafted POST can inject shell metacharacters into one or more fields, causing arbitrary commands to run with the privileges of the 'nobody' user.","modified":"2026-03-15T14:54:09.256718Z","published":"2025-10-28T15:16:11.400Z","references":[{"type":"ADVISORY","url":"https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/ipfire-command-injection-via-proxy-report-creation"},{"type":"REPORT","url":"https://bugzilla.ipfire.org/show_bug.cgi?id=13886"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-34311.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2.29"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update183"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update184"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update185"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update186"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update187"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update188"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update189"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update190"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update191"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update192"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update193"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update194"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update195"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update196"}]},{"events":[{"introduced":"0"},{"last_affected":"2.29-core_update197"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}