3 matches found
CVE-2026-41233
Froxlor CVE-2026-41233 affects the Domains.add() flow prior to version 2.3.6. The adminid parameter is taken from user input and used without validation when the caller lacks customers_see_all, allowing a reseller to attribute newly created domains to another admin. This bypasses the reseller’s o...
GHSA-JVX4-XV3M-HRJ4 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Summary In Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota since the...
Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
Summary In Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota since the...