{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2019-25397","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2026-02-18T19:16:33.428Z","datePublished":"2026-02-18T20:59:08.864Z","dateUpdated":"2026-03-05T01:26:39.250Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-03-05T01:26:39.250Z"},"datePublic":"2019-02-08T00:00:00.000Z","title":"IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi","descriptions":[{"lang":"en","value":"IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to execute arbitrary JavaScript in users' browsers."}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","cweId":"CWE-79","type":"CWE"}]}],"affected":[{"vendor":"Ipfire","product":"IPFire","versions":[{"version":"IPFire 2.21 - Core Update 127","status":"affected"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ipfire:ipfire:2.27:core_update181:*:*:*:*:*:*"}]}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.1,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"format":"CVSS"}],"references":[{"url":"https://www.exploit-db.com/exploits/46344","name":"ExploitDB-46344","tags":["exploit"]},{"url":"https://www.ipfire.org","name":"IPFire Official Website","tags":["product"]},{"url":"https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso","name":"IPFire 2.21 Core Update 127 Download","tags":["patch"]},{"name":"VulnCheck Advisory: IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/ipfire-core-update-cross-site-scripting-via-hostsc"}],"credits":[{"lang":"en","value":"Ozer Goker","type":"finder"}],"x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-19T14:40:11.571953Z","id":"CVE-2019-25397","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-19T14:41:22.035Z"}}]}}