froxlor/froxlor is vulnerable to Command Injection. The vulnerability is due to an Arbitrary File Write in the logging module which allows an attacker to overwrite an arbitrary file, and Template Injection. A remote authenticated attacker can chain these vulnerabilities together, resulting in Remote Code Execution by overwriting a twig template.
packetstormsecurity.com/files/171108/Froxlor-2.0.6-Remote-Command-Execution.html
packetstormsecurity.com/files/171729/Froxlor-2.0.3-Stable-Remote-Code-Execution.html
github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065a
huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943
huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943/