Home

Description

The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands by embedding shell metacharacters in any of the following parameters BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, YEAR_END.

PUBLISHED Reserved 2025-06-16 | Published 2025-08-26 | Updated 2025-08-27 | Assigner mitre

References

github.com/...lob/main/info/IPFire-2.29-Command-Injection.md

cve.org (CVE-2025-50974)

nvd.nist.gov (CVE-2025-50974)

Download JSON