165 matches found
CVE-2026-41233
Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...
CVE-2026-41233
Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...
CVE-2026-41233
Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...
CVE-2026-41233 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...
CVE-2026-41233
Froxlor CVE-2026-41233 affects the Domains.add() flow prior to version 2.3.6. The adminid parameter is taken from user input and used without validation when the caller lacks customers_see_all, allowing a reseller to attribute newly created domains to another admin. This bypasses the reseller’s o...
GHSA-JVX4-XV3M-HRJ4 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Summary In Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota since the...
CVE-2026-27602
Modoboa contains an OS command injection vulnerability (CWE-like) due to exec_cmd paths using subprocess with shell=True and unsanitized domain/input values. In modoboa/lib/sysutils.py and related sinks (DKIM domain handling, mailbox rename, sa-learn, doveadm, rrdtool, webmail operations), domain...
Command Injection
Overview modoboa is a Mail hosting made simple Affected versions of this package are vulnerable to Command Injection via the execcmd function. An attacker who has Reseller or SuperAdmin privileges can execute arbitrary operating system commands by supplying specially crafted input, such as domain...
GHSA-WWV8-CQPR-VX3M Modoboa has OS Command Injection
Summary execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server...
Malicious Package
Overview flexfone-reseller is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
CVE-2016-10822
cPanel before 55.9999.141 allows self XSS in X3 Reseller Branding Images SEC-88...
CVE-2017-18482
cPanel before 62.0.4 allows resellers to use the WHM enqueuetransferitem API for queueing non-rearrange modules SEC-213...
CVE-2017-18455
In cPanel before 62.0.17, addon domain conversion did not require a package for resellers SEC-208...
EUVD-2019-5597
Malware in sbrugna...
EUVD-2010-1896
Malware in sbrugna...
EUVD-2017-15569
Malware in sbrugna...
EUVD-2016-1816
Malware in sbrugna...
EUVD-2021-13082
Malware in sbrugna...
EUVD-2017-9571
Malware in sbrugna...
EUVD-2007-1297
Malware in sbrugna...