GoogleOSV:GHSA-625G-FM5W-W7W4Froxlor username/surname AND company field Bypass
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.1 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
20.6%
Dear Sirs and Madams,
I would like to report a business logic error vulnerability that I discovered during my recent penetration test on Froxlor.
Specifically, I identified an issue where it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements established by the system.
The surname, family name AND company name all of them can be left blank.
I believe addressing this vulnerability is crucial to ensure the security and integrity of the Froxlor platform.
Thank you for your attention to this matter.
This action served as a means to bypass the mandatory field requirements.
Lets see (please have a look at the Video -> attachment).
as you can see i was able to let the username and second name blank.
Lets see again.
Only the company name is set.
Thank you for your time
References
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.1 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
20.6%