661 matches found
Froxlor 安全漏洞
Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.6 contained security vulnerabilities. These vulnerabilities stemmed from the use of the adminid parameter in Domains.add without verification, allowing administrators to assi...
PT-2026-34633
Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with change serversettings permission adds or updates a MySQL server via the API,...
Froxlor 安全漏洞
Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.6 contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation for the deflanguage parameter in the API endpoints Customers.update and...
PT-2026-34634
Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...
PT-2026-34638
Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customers see all permission. This allows a reseller to attribute newly created...
PT-2026-34637
Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to...
PT-2026-34632
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint Customers.update and Admins.update does not validate the def language parameter against the list of available language files. An authenticated customer can set def language to a path traversal...
PT-2026-34635
Froxlor is open source server administration software. Prior to version 2.3.6, DataDump.add constructs the export destination path from user-supplied input without passing the $fixed homedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other...
GHSA-W59F-67XM-RXX7 Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution
Summary The Froxlor API endpoint Customers.update and Admins.update does not validate the deflanguage parameter against the list of available language files. An authenticated customer can set deflanguage to a path traversal payload e.g., ../../../../../var/customers/webs/customer1/evil, which is...
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution
Summary The Froxlor API endpoint Customers.update and Admins.update does not validate the deflanguage parameter against the list of available language files. An authenticated customer can set deflanguage to a path traversal payload e.g., ../../../../../var/customers/webs/customer1/evil, which is...
PHP Remote File Inclusion
Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to PHP Remote File Inclusion via the deflanguage parameter in the API, which is not properly validated against the list of available language files. An attacker can execute arbitrary PHP...
Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Summary PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, the privilegeduser parameter which has no input validation is written...
Arbitrary Code Injection
Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Arbitrary Code Injection via the PhpHelper::parseArrayToString process. An attacker can execute arbitrary PHP code as the web server user by injecting specially crafted input into...
GHSA-GC9W-CC93-RJV8 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Summary PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, the privilegeduser parameter which has no input validation is written...
CRLF Injection
Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to CRLF Injection via the DomainZones::add process. An attacker can inject arbitrary DNS records and BIND directives into zone files by submitting crafted DNS record types and content...
GHSA-75H4-C557-J89R Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron
Summary DataDump.add constructs the export destination path from user-supplied input without passing the $fixedhomedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other customer-facing path operations likely as the fix for CVE-2023-6069. When the...
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron
Summary DataDump.add constructs the export destination path from user-supplied input without passing the $fixedhomedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other customer-facing path operations likely as the fix for CVE-2023-6069. When the...
Symlink Attack
Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Symlink Attack via the DataDump.add process. An attacker can gain ownership of arbitrary directories and their contents by creating a symlink within their own directory that points to...
GHSA-VMJJ-QR7V-PXM6 Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing
Summary In EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership. This causes the ownership check to always pass for non-existent...
GHSA-JVX4-XV3M-HRJ4 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Summary In Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota since the...