661 matches found
GHSA-JVX4-XV3M-HRJ4 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Summary In Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota since the...
CVE-2026-41233
creationtimestamp| type| source ---|---|--- 2026-04-15 06:39:50+00:00| published-proof-of-concept| https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4...
CVE-2026-41232
creationtimestamp| type| source ---|---|--- 2026-04-15 06:39:05+00:00| published-proof-of-concept| https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6...
Arbitrary Code Injection
froxlor/froxlor is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper validation of DNS record content in the DomainZones.add endpoint, which allows an attacker to inject malicious directives into zone files and manipulate DNS configuration...
CVE-2026-30932
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...
CVE-2026-30932
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...
CVE-2026-30932
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...
CVE-2026-30932 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...
CVE-2026-30932 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...
CVE-2026-30932
Froxlor is vulnerable to BIND zone file injection via unsanitized content in DomainZones.add for LOC, RP, SSHFP, and TLSA records. The API does not validate content, allowing injection of BIND directives like $INCLUDE which get written into the zone file and processed by BIND, exposing server fil...
CVE-2026-30932 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Summary The DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file directives e.g. $INCLUDE into the zone file that gets written to disk when th...
GHSA-X6W6-2XWP-3JH6 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Summary The DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file directives e.g. $INCLUDE into the zone file that gets written to disk when th...
EUVD-2026-14964
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API...
CVE-2026-30932
creationtimestamp| type| source ---|---|--- 2026-03-24 07:13:33+00:00| published-proof-of-concept| https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6...
PT-2026-27480
Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 2.3.5 Description The DomainZones.add API endpoint, accessible to customers with DNS enabled, does not validate the content field for specific DNS record types LOC, RP, SSHFP, TLSA. This allows an attacker to inject...
Froxlor 注入漏洞
Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.5 had an injection vulnerability. This vulnerability stemmed from the lack of validation of the content fields of the DomainZones.add API endpoint, which could allow for the...
CVE-2026-26279
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code == instead of = completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the...
CVE-2026-26279
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code == instead of = completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the...
CVE-2026-26279 Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code == instead of = completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the...