GHSA-7J6W-P859-464F Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover

Summary the vulnerability is that users such as resellers or customers are able to create accounts with the same email address as an existing account e.g., if the admin has [email protected], others can also create an account using the same email. This creates potential issues with account...

PT-2025-23501 · Froxlor · Froxlor

Name of the Vulnerable Software and Affected Versions: Froxlor versions prior to 2.2.6 Description: The issue is an HTML Injection vulnerability in the customer account portal, allowing an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credenti...

PT-2025-11215 · Froxlor · Froxlor

Name of the Vulnerable Software and Affected Versions: Froxlor versions prior to 2.2.6 Description: Froxlor is open-source server administration software. A vulnerability allows users, such as resellers or customers, to create accounts with the same email address as an existing account, creating...

CVE-2022-3721

Code Injection in GitHub repository froxlor/froxlor prior to 0.10.39...

Improper File Permissions

froxlor/froxlor is vulnerable to Improper File Permissions. The vulnerability is due to XML templates in certain branches of Froxlor setting chmod 644 for /etc/pure-ftpd/db/mysql.conf, which allows an attacker to expose the to all users with access to the system...

GHSA-34QG-65M4-F23M Froxlor: /etc/pure-ftpd/db/mysql.conf is chmod 644 but contains <SQL_UNPRIVILEGED_PASSWORD>

Summary In Froxlor 2.1.9 and in the HEADs of the main, v2.2 and v2.1 branches , the XML templates in lib/configfiles/ set chmod 644 for /etc/pure-ftpd/db/mysql.conf, although that file contains . At least on Debian 12, all parent directories of /etc/pure-ftpd/db/mysql.conf are world readable by...

Froxlor: /etc/pure-ftpd/db/mysql.conf is chmod 644 but contains <SQL_UNPRIVILEGED_PASSWORD>

Summary In Froxlor 2.1.9 and in the HEADs of the main, v2.2 and v2.1 branches , the XML templates in lib/configfiles/ set chmod 644 for /etc/pure-ftpd/db/mysql.conf, although that file contains . At least on Debian 12, all parent directories of /etc/pure-ftpd/db/mysql.conf are world readable by...

PT-2024-40042 · Percona +2 · Percona +2

Name of the Vulnerable Software and Affected Versions: Froxlor versions 2.1.9 and earlier Description: The issue concerns the exposure of MySQL database credentials due to incorrect file permissions. In affected Froxlor instances configured to use pure-ftpd, the XML templates set chmod 644 for...

OPENSUSE-SU-2024:10487-1 froxlor-0.9.38.4-1.1 on GA media

These are all security issues fixed in the froxlor-0.9.38.4-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2024-34070

Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting XSS vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on t...

Froxlor 安全漏洞

Froxlor is a lightweight server management software from the Froxlor team. A security vulnerability exists in Froxlor versions prior to 2.1.9, which stems from the presence of a stored cross-site scripting XSS vulnerability that allows unauthenticated users to inject malicious scripts...

Cross-Site Scripting (XSS)

froxlor/froxlor is vulnerable to Cross-Site Scripting. The vulnerability is due to inadequate sanitization of user input in the loginname parameter during failed login attempts, which allows attackers to inject and store malicious scripts that are executed when an administrator views the System...

GHSA-X525-54HF-XR53 Blind XSS Leading to Froxlor Application Compromise

Description: A Stored Blind Cross-Site Scripting XSS vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. Stored Blind XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious...

Blind XSS Leading to Froxlor Application Compromise

Description: A Stored Blind Cross-Site Scripting XSS vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. Stored Blind XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious...

CVE-2024-34070 Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise

Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting XSS vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on t...

CVE-2024-34070

CVE-2024-34070 affects Froxlor prior to 2.1.9. A Stored Blind XSS exists in the Failed Login Attempts Logging feature: an unauthenticated user can inject script into the loginname during a login attempt, which runs when an Administrator views System Logs. The vulnerability can be exploited to cau...

CVE-2024-34070 Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise

Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting XSS vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on t...

CVE-2024-34070 Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise

Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting XSS vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on t...

PT-2024-25681 · Froxlor +1 · Froxlor +1

Name of the Vulnerable Software and Affected Versions: Froxlor versions prior to 2.1.9 Description: A Stored Blind Cross-Site Scripting XSS vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated user can inject malicious scrip...

Malicious code in froxlor (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 445e6f97a516e090b04dc5969fbc1472e2c740461dec0b7769bbe76e5d3b6326 The OpenSSF Package Analysis project identified 'froxlor' @ 19.0.4 npm as malicious. It is considered malicious because: - The package...