Search criteria
96 vulnerabilities found for Froxlor by froxlor
CVE-2026-41233 (GCVE-0-2026-41233)
Vulnerability from nvd – Published: 2026-04-23 04:00 – Updated: 2026-04-23 12:26
VLAI?
Title
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/bf47ba1… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41233",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T12:26:17.190754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T12:26:22.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin\u0027s `domains_used` counter is incremented) and potentially exhausting another admin\u0027s quota. Version 2.3.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T04:00:19.011Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4"
},
{
"name": "https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-jvx4-xv3m-hrj4",
"discovery": "UNKNOWN"
},
"title": "Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41233",
"datePublished": "2026-04-23T04:00:19.011Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T12:26:22.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41232 (GCVE-0-2026-41232)
Vulnerability from nvd – Published: 2026-04-23 03:54 – Updated: 2026-04-23 14:50
VLAI?
Title
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.
Severity ?
5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/77d04ba… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41232",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:49:29.020053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:50:19.516Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent \"domains,\" allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix\u0027s `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:54:55.765Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6"
},
{
"name": "https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-vmjj-qr7v-pxm6",
"discovery": "UNKNOWN"
},
"title": "Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41232",
"datePublished": "2026-04-23T03:54:55.765Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T14:50:19.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41231 (GCVE-0-2026-41231)
Vulnerability from nvd – Published: 2026-04-23 03:52 – Updated: 2026-04-23 16:23
VLAI?
Title
Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.
Severity ?
7.5 (High)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/2987b0e… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41231",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:48:21.532406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T16:23:03.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:52:42.587Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r"
},
{
"name": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-75h4-c557-j89r",
"discovery": "UNKNOWN"
},
"title": "Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41231",
"datePublished": "2026-04-23T03:52:42.587Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T16:23:03.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41230 (GCVE-0-2026-41230)
Vulnerability from nvd – Published: 2026-04-23 03:47 – Updated: 2026-04-23 13:58
VLAI?
Title
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.
Severity ?
8.5 (High)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/47a8af5… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41230",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T13:58:05.259261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:58:27.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain\u0027s zone file. Version 2.3.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:47:11.258Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c"
},
{
"name": "https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-47hf-23pw-3m8c",
"discovery": "UNKNOWN"
},
"title": "Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41230",
"datePublished": "2026-04-23T03:47:11.258Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T13:58:27.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41229 (GCVE-0-2026-41229)
Vulnerability from nvd – Published: 2026-04-23 03:44 – Updated: 2026-04-23 12:31
VLAI?
Title
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.
Severity ?
9.1 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/3589ddf… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41229",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T12:31:11.971510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T12:31:15.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:44:25.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8"
},
{
"name": "https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-gc9w-cc93-rjv8",
"discovery": "UNKNOWN"
},
"title": "Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41229",
"datePublished": "2026-04-23T03:44:25.617Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T12:31:15.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41228 (GCVE-0-2026-41228)
Vulnerability from nvd – Published: 2026-04-23 03:41 – Updated: 2026-04-23 14:48
VLAI?
Title
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
Severity ?
10 (Critical)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/bc5e6db… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41228",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:46:42.002368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:48:07.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:41:47.479Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7"
},
{
"name": "https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-w59f-67xm-rxx7",
"discovery": "UNKNOWN"
},
"title": "Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41228",
"datePublished": "2026-04-23T03:41:47.479Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T14:48:07.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30932 (GCVE-0-2026-30932)
Vulnerability from nvd – Published: 2026-03-24 18:46 – Updated: 2026-03-25 13:31
VLAI?
Title
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Summary
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.
Severity ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/b348292… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30932",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:30:29.048584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:31:13.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:46:13.137Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6"
},
{
"name": "https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.5"
}
],
"source": {
"advisory": "GHSA-x6w6-2xwp-3jh6",
"discovery": "UNKNOWN"
},
"title": "Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30932",
"datePublished": "2026-03-24T18:46:13.137Z",
"dateReserved": "2026-03-07T16:40:05.885Z",
"dateUpdated": "2026-03-25T13:31:13.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26279 (GCVE-0-2026-26279)
Vulnerability from nvd – Published: 2026-03-03 22:31 – Updated: 2026-03-04 16:13
VLAI?
Title
Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Summary
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.
Severity ?
9.1 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/2224967… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T16:12:37.881548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:13:18.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor\u0027s input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-482",
"description": "CWE-482: Comparing instead of Assigning",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T22:31:58.516Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c"
},
{
"name": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.4"
}
],
"source": {
"advisory": "GHSA-33mp-8p67-xj7c",
"discovery": "UNKNOWN"
},
"title": "Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26279",
"datePublished": "2026-03-03T22:31:58.516Z",
"dateReserved": "2026-02-12T17:10:53.414Z",
"dateUpdated": "2026-03-04T16:13:18.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48958 (GCVE-0-2025-48958)
Vulnerability from nvd – Published: 2025-06-02 11:18 – Updated: 2025-06-02 16:41
VLAI?
Title
Froxlor has an HTML Injection Vulnerability
Summary
Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/Froxlor/commit/fde43f8… | x_refsource_MISC |
| https://github.com/user-attachments/assets/869476… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48958",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T16:40:22.307089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T16:41:18.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-26xq-m8xw-6373"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T11:18:27.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-26xq-m8xw-6373",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-26xq-m8xw-6373"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/fde43f80600f1035e1e3d2297411b666d805549a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/Froxlor/commit/fde43f80600f1035e1e3d2297411b666d805549a"
},
{
"name": "https://github.com/user-attachments/assets/86947633-3e7c-4e10-86cc-92e577761e8e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/assets/86947633-3e7c-4e10-86cc-92e577761e8e"
}
],
"source": {
"advisory": "GHSA-26xq-m8xw-6373",
"discovery": "UNKNOWN"
},
"title": "Froxlor has an HTML Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48958",
"datePublished": "2025-06-02T11:18:27.230Z",
"dateReserved": "2025-05-28T18:49:07.585Z",
"dateUpdated": "2025-06-02T16:41:18.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29773 (GCVE-0-2025-29773)
Vulnerability from nvd – Published: 2025-03-13 17:07 – Updated: 2025-03-13 18:30
VLAI?
Title
Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover
Summary
Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attack vector is email-based, as the system does not prevent multiple accounts from registering the same email address, leading to possible conflicts and security issues. Version 2.2.6 fixes the issue.
Severity ?
5.8 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/Froxlor/commit/a43d53d… | x_refsource_MISC |
| https://mega.nz/file/h8oFHQrL#I4V02_BWee4CCx7OoBl… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29773",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-13T18:30:51.821664Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T18:30:56.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attack vector is email-based, as the system does not prevent multiple accounts from registering the same email address, leading to possible conflicts and security issues. Version 2.2.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:07:28.515Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/a43d53d54034805e3e404702a01312fa0c40b623",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/Froxlor/commit/a43d53d54034805e3e404702a01312fa0c40b623"
},
{
"name": "https://mega.nz/file/h8oFHQrL#I4V02_BWee4CCx7OoBl_2Ufkd5Wc7fvs5aCatGApkoQ",
"tags": [
"x_refsource_MISC"
],
"url": "https://mega.nz/file/h8oFHQrL#I4V02_BWee4CCx7OoBl_2Ufkd5Wc7fvs5aCatGApkoQ"
}
],
"source": {
"advisory": "GHSA-7j6w-p859-464f",
"discovery": "UNKNOWN"
},
"title": "Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-29773",
"datePublished": "2025-03-13T17:07:28.515Z",
"dateReserved": "2025-03-11T14:23:00.474Z",
"dateUpdated": "2025-03-13T18:30:56.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34070 (GCVE-0-2024-34070)
Vulnerability from nvd – Published: 2024-05-10 15:21 – Updated: 2024-08-02 02:42
VLAI?
Title
Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise
Summary
Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9.
Severity ?
9.7 (Critical)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/Froxlor/commit/a862307… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:froxlor:froxlor:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.1.9",
"status": "affected",
"version": "2.1.9*",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34070",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-10T20:22:17.320471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:49.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:42:59.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-10T15:21:37.883Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6"
}
],
"source": {
"advisory": "GHSA-x525-54hf-xr53",
"discovery": "UNKNOWN"
},
"title": "Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34070",
"datePublished": "2024-05-10T15:21:37.883Z",
"dateReserved": "2024-04-30T06:56:33.381Z",
"dateUpdated": "2024-08-02T02:42:59.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50256 (GCVE-0-2023-50256)
Vulnerability from nvd – Published: 2024-01-03 22:34 – Updated: 2025-06-17 20:29
VLAI?
Title
Froxlor username/surname AND company field Bypass
Summary
Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/Froxlor/Froxlor/commit/4b18468… | x_refsource_MISC |
| https://user-images.githubusercontent.com/8002876… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4"
},
{
"name": "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac"
},
{
"name": "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-09T15:34:46.014767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:07.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "Froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-03T22:34:47.447Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4"
},
{
"name": "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac"
},
{
"name": "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4",
"tags": [
"x_refsource_MISC"
],
"url": "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4"
}
],
"source": {
"advisory": "GHSA-625g-fm5w-w7w4",
"discovery": "UNKNOWN"
},
"title": "Froxlor username/surname AND company field Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50256",
"datePublished": "2024-01-03T22:34:47.447Z",
"dateReserved": "2023-12-05T20:42:59.378Z",
"dateUpdated": "2025-06-17T20:29:07.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6069 (GCVE-0-2023-6069)
Vulnerability from nvd – Published: 2023-11-10 00:00 – Updated: 2024-08-02 08:21
VLAI?
Title
Improper Link Resolution Before File Access in froxlor/froxlor
Summary
Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.
Severity ?
9.9 (Critical)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| froxlor | froxlor/froxlor |
Affected:
unspecified , < 2.1.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/aac0627e-e59d-476e-9385-edb7ff53758c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/froxlor/froxlor/commit/9e8f32f1e86016733b603b50c31b97f472e8dabc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "froxlor/froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.\u003c/p\u003e"
}
],
"value": "Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-16T21:10:57.491Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/aac0627e-e59d-476e-9385-edb7ff53758c"
},
{
"url": "https://github.com/froxlor/froxlor/commit/9e8f32f1e86016733b603b50c31b97f472e8dabc"
}
],
"source": {
"advisory": "aac0627e-e59d-476e-9385-edb7ff53758c",
"discovery": "EXTERNAL"
},
"title": "Improper Link Resolution Before File Access in froxlor/froxlor",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2023-6069",
"datePublished": "2023-11-10T00:00:32.765Z",
"dateReserved": "2023-11-10T00:00:12.624Z",
"dateUpdated": "2024-08-02T08:21:17.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4829 (GCVE-0-2023-4829)
Vulnerability from nvd – Published: 2023-10-13 12:24 – Updated: 2024-09-17 17:05
VLAI?
Title
Cross-site Scripting (XSS) - Stored in froxlor/froxlor
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| froxlor | froxlor/froxlor |
Affected:
unspecified , < 2.0.22
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/babd73ca-6c80-4145-8c7d-33a883fe606b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/froxlor/froxlor/commit/4711a414360782fe4fc94f7c25027077cbcdf73d"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.0.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4829",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-17T17:04:26.707923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T17:05:37.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor/froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.0.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-13T12:24:05.277Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/babd73ca-6c80-4145-8c7d-33a883fe606b"
},
{
"url": "https://github.com/froxlor/froxlor/commit/4711a414360782fe4fc94f7c25027077cbcdf73d"
}
],
"source": {
"advisory": "babd73ca-6c80-4145-8c7d-33a883fe606b",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in froxlor/froxlor"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4829",
"datePublished": "2023-10-13T12:24:05.277Z",
"dateReserved": "2023-09-08T00:00:07.307Z",
"dateUpdated": "2024-09-17T17:05:37.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5564 (GCVE-0-2023-5564)
Vulnerability from nvd – Published: 2023-10-13 00:00 – Updated: 2024-09-17 17:08
VLAI?
Title
Cross-site Scripting (XSS) - Stored in froxlor/froxlor
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.
Severity ?
5.2 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| froxlor | froxlor/froxlor |
Affected:
unspecified , < 2.1.0-dev1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.835Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/9254d8f3-a847-4ae8-8477-d2ce027cff5c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/froxlor/froxlor/commit/e8ed43056c1665522a586e3485da67f2bdf073aa"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.1.0-dev1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5564",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-17T17:07:19.123189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T17:08:03.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor/froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.1.0-dev1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-13T00:00:19.626Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/9254d8f3-a847-4ae8-8477-d2ce027cff5c"
},
{
"url": "https://github.com/froxlor/froxlor/commit/e8ed43056c1665522a586e3485da67f2bdf073aa"
}
],
"source": {
"advisory": "9254d8f3-a847-4ae8-8477-d2ce027cff5c",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in froxlor/froxlor"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-5564",
"datePublished": "2023-10-13T00:00:19.626Z",
"dateReserved": "2023-10-13T00:00:06.686Z",
"dateUpdated": "2024-09-17T17:08:03.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-41233 (GCVE-0-2026-41233)
Vulnerability from cvelistv5 – Published: 2026-04-23 04:00 – Updated: 2026-04-23 12:26
VLAI?
Title
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/bf47ba1… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41233",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T12:26:17.190754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T12:26:22.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin\u0027s `domains_used` counter is incremented) and potentially exhausting another admin\u0027s quota. Version 2.3.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T04:00:19.011Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4"
},
{
"name": "https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-jvx4-xv3m-hrj4",
"discovery": "UNKNOWN"
},
"title": "Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41233",
"datePublished": "2026-04-23T04:00:19.011Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T12:26:22.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41232 (GCVE-0-2026-41232)
Vulnerability from cvelistv5 – Published: 2026-04-23 03:54 – Updated: 2026-04-23 14:50
VLAI?
Title
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.
Severity ?
5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/77d04ba… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41232",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:49:29.020053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:50:19.516Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent \"domains,\" allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix\u0027s `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:54:55.765Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6"
},
{
"name": "https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-vmjj-qr7v-pxm6",
"discovery": "UNKNOWN"
},
"title": "Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41232",
"datePublished": "2026-04-23T03:54:55.765Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T14:50:19.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41231 (GCVE-0-2026-41231)
Vulnerability from cvelistv5 – Published: 2026-04-23 03:52 – Updated: 2026-04-23 16:23
VLAI?
Title
Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.
Severity ?
7.5 (High)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/2987b0e… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41231",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:48:21.532406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T16:23:03.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:52:42.587Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r"
},
{
"name": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-75h4-c557-j89r",
"discovery": "UNKNOWN"
},
"title": "Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41231",
"datePublished": "2026-04-23T03:52:42.587Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T16:23:03.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41230 (GCVE-0-2026-41230)
Vulnerability from cvelistv5 – Published: 2026-04-23 03:47 – Updated: 2026-04-23 13:58
VLAI?
Title
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.
Severity ?
8.5 (High)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/47a8af5… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41230",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T13:58:05.259261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:58:27.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain\u0027s zone file. Version 2.3.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:47:11.258Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c"
},
{
"name": "https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-47hf-23pw-3m8c",
"discovery": "UNKNOWN"
},
"title": "Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41230",
"datePublished": "2026-04-23T03:47:11.258Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T13:58:27.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41229 (GCVE-0-2026-41229)
Vulnerability from cvelistv5 – Published: 2026-04-23 03:44 – Updated: 2026-04-23 12:31
VLAI?
Title
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.
Severity ?
9.1 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/3589ddf… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41229",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T12:31:11.971510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T12:31:15.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:44:25.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8"
},
{
"name": "https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-gc9w-cc93-rjv8",
"discovery": "UNKNOWN"
},
"title": "Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41229",
"datePublished": "2026-04-23T03:44:25.617Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T12:31:15.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41228 (GCVE-0-2026-41228)
Vulnerability from cvelistv5 – Published: 2026-04-23 03:41 – Updated: 2026-04-23 14:48
VLAI?
Title
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution
Summary
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
Severity ?
10 (Critical)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/bc5e6db… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41228",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:46:42.002368Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:48:07.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:41:47.479Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7"
},
{
"name": "https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"source": {
"advisory": "GHSA-w59f-67xm-rxx7",
"discovery": "UNKNOWN"
},
"title": "Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41228",
"datePublished": "2026-04-23T03:41:47.479Z",
"dateReserved": "2026-04-18T03:47:03.134Z",
"dateUpdated": "2026-04-23T14:48:07.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30932 (GCVE-0-2026-30932)
Vulnerability from cvelistv5 – Published: 2026-03-24 18:46 – Updated: 2026-03-25 13:31
VLAI?
Title
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Summary
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.
Severity ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/b348292… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30932",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:30:29.048584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:31:13.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:46:13.137Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6"
},
{
"name": "https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.5"
}
],
"source": {
"advisory": "GHSA-x6w6-2xwp-3jh6",
"discovery": "UNKNOWN"
},
"title": "Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30932",
"datePublished": "2026-03-24T18:46:13.137Z",
"dateReserved": "2026-03-07T16:40:05.885Z",
"dateUpdated": "2026-03-25T13:31:13.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26279 (GCVE-0-2026-26279)
Vulnerability from cvelistv5 – Published: 2026-03-03 22:31 – Updated: 2026-03-04 16:13
VLAI?
Title
Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Summary
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.
Severity ?
9.1 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/froxlor/commit/2224967… | x_refsource_MISC |
| https://github.com/froxlor/froxlor/releases/tag/2.3.4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T16:12:37.881548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:13:18.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor\u0027s input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-482",
"description": "CWE-482: Comparing instead of Assigning",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T22:31:58.516Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c"
},
{
"name": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343"
},
{
"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.4"
}
],
"source": {
"advisory": "GHSA-33mp-8p67-xj7c",
"discovery": "UNKNOWN"
},
"title": "Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26279",
"datePublished": "2026-03-03T22:31:58.516Z",
"dateReserved": "2026-02-12T17:10:53.414Z",
"dateUpdated": "2026-03-04T16:13:18.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48958 (GCVE-0-2025-48958)
Vulnerability from cvelistv5 – Published: 2025-06-02 11:18 – Updated: 2025-06-02 16:41
VLAI?
Title
Froxlor has an HTML Injection Vulnerability
Summary
Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/Froxlor/commit/fde43f8… | x_refsource_MISC |
| https://github.com/user-attachments/assets/869476… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48958",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T16:40:22.307089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T16:41:18.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-26xq-m8xw-6373"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T11:18:27.230Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-26xq-m8xw-6373",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-26xq-m8xw-6373"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/fde43f80600f1035e1e3d2297411b666d805549a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/Froxlor/commit/fde43f80600f1035e1e3d2297411b666d805549a"
},
{
"name": "https://github.com/user-attachments/assets/86947633-3e7c-4e10-86cc-92e577761e8e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/user-attachments/assets/86947633-3e7c-4e10-86cc-92e577761e8e"
}
],
"source": {
"advisory": "GHSA-26xq-m8xw-6373",
"discovery": "UNKNOWN"
},
"title": "Froxlor has an HTML Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48958",
"datePublished": "2025-06-02T11:18:27.230Z",
"dateReserved": "2025-05-28T18:49:07.585Z",
"dateUpdated": "2025-06-02T16:41:18.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29773 (GCVE-0-2025-29773)
Vulnerability from cvelistv5 – Published: 2025-03-13 17:07 – Updated: 2025-03-13 18:30
VLAI?
Title
Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover
Summary
Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attack vector is email-based, as the system does not prevent multiple accounts from registering the same email address, leading to possible conflicts and security issues. Version 2.2.6 fixes the issue.
Severity ?
5.8 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/Froxlor/commit/a43d53d… | x_refsource_MISC |
| https://mega.nz/file/h8oFHQrL#I4V02_BWee4CCx7OoBl… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29773",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-13T18:30:51.821664Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T18:30:56.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attack vector is email-based, as the system does not prevent multiple accounts from registering the same email address, leading to possible conflicts and security issues. Version 2.2.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:07:28.515Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/a43d53d54034805e3e404702a01312fa0c40b623",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/Froxlor/commit/a43d53d54034805e3e404702a01312fa0c40b623"
},
{
"name": "https://mega.nz/file/h8oFHQrL#I4V02_BWee4CCx7OoBl_2Ufkd5Wc7fvs5aCatGApkoQ",
"tags": [
"x_refsource_MISC"
],
"url": "https://mega.nz/file/h8oFHQrL#I4V02_BWee4CCx7OoBl_2Ufkd5Wc7fvs5aCatGApkoQ"
}
],
"source": {
"advisory": "GHSA-7j6w-p859-464f",
"discovery": "UNKNOWN"
},
"title": "Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-29773",
"datePublished": "2025-03-13T17:07:28.515Z",
"dateReserved": "2025-03-11T14:23:00.474Z",
"dateUpdated": "2025-03-13T18:30:56.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34070 (GCVE-0-2024-34070)
Vulnerability from cvelistv5 – Published: 2024-05-10 15:21 – Updated: 2024-08-02 02:42
VLAI?
Title
Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise
Summary
Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9.
Severity ?
9.7 (Critical)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/froxlor/Froxlor/commit/a862307… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:froxlor:froxlor:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.1.9",
"status": "affected",
"version": "2.1.9*",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34070",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-10T20:22:17.320471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:49.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:42:59.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-10T15:21:37.883Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53"
},
{
"name": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6"
}
],
"source": {
"advisory": "GHSA-x525-54hf-xr53",
"discovery": "UNKNOWN"
},
"title": "Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34070",
"datePublished": "2024-05-10T15:21:37.883Z",
"dateReserved": "2024-04-30T06:56:33.381Z",
"dateUpdated": "2024-08-02T02:42:59.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50256 (GCVE-0-2023-50256)
Vulnerability from cvelistv5 – Published: 2024-01-03 22:34 – Updated: 2025-06-17 20:29
VLAI?
Title
Froxlor username/surname AND company field Bypass
Summary
Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Froxlor/Froxlor/security/advis… | x_refsource_CONFIRM |
| https://github.com/Froxlor/Froxlor/commit/4b18468… | x_refsource_MISC |
| https://user-images.githubusercontent.com/8002876… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4"
},
{
"name": "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac"
},
{
"name": "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-09T15:34:46.014767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:07.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Froxlor",
"vendor": "Froxlor",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-03T22:34:47.447Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4"
},
{
"name": "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac"
},
{
"name": "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4",
"tags": [
"x_refsource_MISC"
],
"url": "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4"
}
],
"source": {
"advisory": "GHSA-625g-fm5w-w7w4",
"discovery": "UNKNOWN"
},
"title": "Froxlor username/surname AND company field Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50256",
"datePublished": "2024-01-03T22:34:47.447Z",
"dateReserved": "2023-12-05T20:42:59.378Z",
"dateUpdated": "2025-06-17T20:29:07.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6069 (GCVE-0-2023-6069)
Vulnerability from cvelistv5 – Published: 2023-11-10 00:00 – Updated: 2024-08-02 08:21
VLAI?
Title
Improper Link Resolution Before File Access in froxlor/froxlor
Summary
Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.
Severity ?
9.9 (Critical)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| froxlor | froxlor/froxlor |
Affected:
unspecified , < 2.1.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/aac0627e-e59d-476e-9385-edb7ff53758c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/froxlor/froxlor/commit/9e8f32f1e86016733b603b50c31b97f472e8dabc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "froxlor/froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.\u003c/p\u003e"
}
],
"value": "Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-16T21:10:57.491Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/aac0627e-e59d-476e-9385-edb7ff53758c"
},
{
"url": "https://github.com/froxlor/froxlor/commit/9e8f32f1e86016733b603b50c31b97f472e8dabc"
}
],
"source": {
"advisory": "aac0627e-e59d-476e-9385-edb7ff53758c",
"discovery": "EXTERNAL"
},
"title": "Improper Link Resolution Before File Access in froxlor/froxlor",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2023-6069",
"datePublished": "2023-11-10T00:00:32.765Z",
"dateReserved": "2023-11-10T00:00:12.624Z",
"dateUpdated": "2024-08-02T08:21:17.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4829 (GCVE-0-2023-4829)
Vulnerability from cvelistv5 – Published: 2023-10-13 12:24 – Updated: 2024-09-17 17:05
VLAI?
Title
Cross-site Scripting (XSS) - Stored in froxlor/froxlor
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| froxlor | froxlor/froxlor |
Affected:
unspecified , < 2.0.22
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:38:00.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/babd73ca-6c80-4145-8c7d-33a883fe606b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/froxlor/froxlor/commit/4711a414360782fe4fc94f7c25027077cbcdf73d"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.0.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4829",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-17T17:04:26.707923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T17:05:37.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor/froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.0.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-13T12:24:05.277Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/babd73ca-6c80-4145-8c7d-33a883fe606b"
},
{
"url": "https://github.com/froxlor/froxlor/commit/4711a414360782fe4fc94f7c25027077cbcdf73d"
}
],
"source": {
"advisory": "babd73ca-6c80-4145-8c7d-33a883fe606b",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in froxlor/froxlor"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-4829",
"datePublished": "2023-10-13T12:24:05.277Z",
"dateReserved": "2023-09-08T00:00:07.307Z",
"dateUpdated": "2024-09-17T17:05:37.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5564 (GCVE-0-2023-5564)
Vulnerability from cvelistv5 – Published: 2023-10-13 00:00 – Updated: 2024-09-17 17:08
VLAI?
Title
Cross-site Scripting (XSS) - Stored in froxlor/froxlor
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.
Severity ?
5.2 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| froxlor | froxlor/froxlor |
Affected:
unspecified , < 2.1.0-dev1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.835Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/9254d8f3-a847-4ae8-8477-d2ce027cff5c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/froxlor/froxlor/commit/e8ed43056c1665522a586e3485da67f2bdf073aa"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.1.0-dev1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5564",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-17T17:07:19.123189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T17:08:03.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "froxlor/froxlor",
"vendor": "froxlor",
"versions": [
{
"lessThan": "2.1.0-dev1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-13T00:00:19.626Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/9254d8f3-a847-4ae8-8477-d2ce027cff5c"
},
{
"url": "https://github.com/froxlor/froxlor/commit/e8ed43056c1665522a586e3485da67f2bdf073aa"
}
],
"source": {
"advisory": "9254d8f3-a847-4ae8-8477-d2ce027cff5c",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in froxlor/froxlor"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-5564",
"datePublished": "2023-10-13T00:00:19.626Z",
"dateReserved": "2023-10-13T00:00:06.686Z",
"dateUpdated": "2024-09-17T17:08:03.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}