216.73.216.86

CVE-2025-50974

· Published 26/08/2025 17:15 · Modified 26/08/2025 17:15

Labels: CVE-2025-50974 2025-08-26CVE-2025-50974[email protected]

Essential information

Published
26/08/2025 17:15
Modified
26/08/2025 17:15
Author
Creator
CISA KEV
No
CWE

Description

The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands by embedding shell metacharacters in any of the following parameters BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, YEAR_END.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
ipfire / ipfire cpe:2.3:o:ipfire:ipfire:2.29:*:*:*:*:*:*:*:*
ipfire / calamaris log exporter cpe:2.3:a:ipfire:calamaris_log_exporter:*:*:*:*:*:*:*:*

References