Lucene search
Leorac3A8F36AC-5EDA-41E7-A9C4-E0F3D63E6E3BHistoryDec 30, 2022 - 9:18 p.m.
Reseller role allowed to access to admin functionalities
2022-12-3021:18:16
leorac
www.huntr.dev
15
reseller role
unauthorized access
admin functionalities
url access
0.001 Low
EPSS
Percentile
20.1%
Description
The reseller user can access to some admin functionality just directly accessing to it by URL, even though the menu shouldn’t allow it.
Proof of Concept
- Go to https://v2.demo.froxlor.org
- Login as
reseller1 - Point to:
https://v2.demo.froxlor.org/admin_opcacheinfo.php?page=showinfo
https://v2.demo.froxlor.org/admin_mysqlserver.php?page=mysqlserver
https://v2.demo.froxlor.org/admin_cronjobs.php?page=overview
Related
github
github
Froxlor Improper Authorization vulnerability
2022-12-31 12:30:20
osv
osv
Froxlor Improper Authorization vulnerability
2022-12-31 12:30:20
CVE-2022-4868
2022-12-31 10:15:13
cve
cve
CVE-2022-4868
2022-12-31 10:15:13
nvd
nvd
CVE-2022-4868
2022-12-31 10:15:13
prion
prion
Authorization
2022-12-31 10:15:00
cvelist
cvelist
CVE-2022-4868 Improper Authorization in froxlor/froxlor
2022-12-31 00:00:00