2025-10-28 14:37:47
VulnCheck
PUBLISHED
IPFire versions prior to 2.29 (Core Update 198) containĀ a command injection vulnerability that allows an authenticated attacker to execute arbitrary commands as the nobody user via the BE_NAME parameter when installing a blacklist. When a blacklist is installed the application issues an HTTP POST to /cgi-bin/urlfilter.cgi and interpolates the value of BE_NAME directly into a shell invocation without appropriate sanitation. Crafted input can inject shell metacharacters, leading to arbitrary command execution in the context of the nobody user.