7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
6.9 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
20.6%
Dear Sirs and Madams,
I would like to report a business logic error vulnerability that I discovered during my recent penetration test on Froxlor.
Specifically, I identified an issue where it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements established by the system.
The surname, family name AND company name all of them can be left blank.
I believe addressing this vulnerability is crucial to ensure the security and integrity of the Froxlor platform.
Thank you for your attention to this matter.
This action served as a means to bypass the mandatory field requirements.
Lets see (please have a look at the Video -> attachment).
as you can see i was able to let the username and second name blank.
Lets see again.
Only the company name is set.
Thank you for your time
CPE | Name | Operator | Version |
---|---|---|---|
froxlor/froxlor | le | 2.1.1 |
github.com/advisories/GHSA-625g-fm5w-w7w4
github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac
github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4
nvd.nist.gov/vuln/detail/CVE-2023-50256
user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
6.9 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
20.6%