CVE-2018-16232

HIGH

IPFire < 2.21 Core Update 124 - Authenticated OS Command Injection via backup.cgi

Title source: llm
STIX 2.1

Description

An authenticated command injection vulnerability exists in IPFire Firewall before 2.21 Core Update 124 in backup.cgi. This allows an authenticated user with privileges for the affected page to execute arbitrary commands.

References (2)

Core 2
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.ipfire.org/news/ipfire-2-21-core-update-124-released

Scores

CVSS v3 8.8
EPSS 0.0779
EPSS Percentile 93.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (7)
ipfire/ipfire 1.49
ipfire/ipfire 2.1 (2 CPE variants)
ipfire/ipfire 2.11 core_update53 (6 CPE variants)
ipfire/ipfire 2.13 core_update66 (10 CPE variants)
ipfire/ipfire 2.15 76_rc1 (9 CPE variants)
ipfire/ipfire 2.17 86_beta1 (10 CPE variants)
ipfire/ipfire 2.19 core_update100 (12 CPE variants)
Published Oct 17, 2018
Tracked Since Feb 18, 2026