CVE-2020-10237

An issue was discovered in Froxlor through 0.10.15. The installer wrote configuration parameters including passwords into files in /tmp, setting proper permissions only after writing the sensitive data. A local attacker could have disclosed the information if he read the file at the right time,...

CVE-2020-10236

Affected software: Froxlor before 0.10.14. Vulnerability: during installation, Froxlor creates files with static names in /tmp if the installation directory is not writable, via _createUserdataConf in install/lib/class.FroxlorInstall.php. Impact: local attackers can induce DoS or disclose informa...

CVE-2020-10236

An issue was discovered in Froxlor before 0.10.14. It created files with static names in /tmp during installation if the installation directory was not writable. This allowed local attackers to cause DoS or disclose information out of the config files, because of createUserdataConf in...

Froxlor php object injection vulnerability

Froxlor is a web-based version of the server backend control panel developed by the Froxlor team, which supports a wide range of servers such as Apache, Lighttpd and Nginx. A PHP object injection vulnerability exists in the Domain name form in Froxlor 0.9.39.5 and earlier versions. A remote...

CVE-2018-1000527

Froxlor version = 0.9.39.5 contains a PHP Object Injection vulnerability in Domain name form that can result in Possible information disclosure and remote code execution. This attack appear to be exploitable via Passing malicious PHP objection in $POST'sslipandport'. This vulnerability appears to...

CVE-2018-1000527

Froxlor version = 0.9.39.5 contains a PHP Object Injection vulnerability in Domain name form that can result in Possible information disclosure and remote code execution. This attack appear to be exploitable via Passing malicious PHP objection in $POST'sslipandport'. This vulnerability appears to...

Information disclosure

Froxlor version = 0.9.39.5 contains a PHP Object Injection vulnerability in Domain name form that can result in Possible information disclosure and remote code execution. This attack appear to be exploitable via Passing malicious PHP objection in $POST'sslipandport'. This vulnerability appears to...

CVE-2018-1000527

Froxlor version = 0.9.39.5 contains a PHP Object Injection vulnerability in Domain name form that can result in Possible information disclosure and remote code execution. This attack appear to be exploitable via Passing malicious PHP objection in $POST'sslipandport'. This vulnerability appears to...

CVE-2018-1000527

CVE-2018-1000527 affects Froxlor ≤ 0.9.39.5, describing a PHP Object Injection in the Domain name form that can lead to information disclosure and remote code execution. The attack is reported as exploitable by sending a malicious PHP object via $_POST['ssl_ipandport']; multiple sources corrobora...

CVE-2018-12642

Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not owned by the current user...

Improper access control

Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not owned by the current user...

CVE-2018-12642

Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not owned by the current user...

CVE-2018-12642

Froxlor up to version 0.9.39.5 contains an Incorrect Access Control issue where tickets can be accessed by users who do not own them. The connected Red Hat, SUSE, GHSA, OSV, and CVE records corroborate this vulnerability family. The description does not provide root-cause details or a vendor patc...

CVE-2018-12642

Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not owned by the current user...

Froxlor 0.9.37 HTML Injection

Credits: John Page aka HyP3rlinX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/FROXLOR-0.9.37-HTML-INJECTION.txt + ISR: ApparitionSec Vendor: ============== www.froxlor.org Product: ============= Froxlor 0.9.37 Vulnerability Type: ===================...

Default configuration

Froxlor before 0.9.33.2 with the default configuration/setup might allow remote attackers to obtain the database password by reading /logs/sql-error.log...

CVE-2015-5959

Froxlor before 0.9.33.2 with the default configuration/setup might allow remote attackers to obtain the database password by reading /logs/sql-error.log...

CVE-2015-5959

Froxlor before 0.9.33.2 with the default configuration/setup might allow remote attackers to obtain the database password by reading /logs/sql-error.log...

CVE-2015-5959

CVE-2015-5959 affects Froxlor prior to 0.9.33.2, where default installations could disclose the database password by reading the /logs/sql-error.log file. Multiple sources (NVD entry and FreeBSD VuXML) describe an unauthenticated information-disclosure scenario tied to the /logs directory permiss...

Froxlor Password Reset Vulnerability

Froxlor is a web-based version of the server backend control panel developed by the Froxlor team, which supports a wide range of servers such as Apache, Lighttpd and Nginx. A security vulnerability exists in versions of Froxlor prior to 0.9.35 that stems from the program's use of the 'PHP rand'...