EUVD-2026-25186CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender_login_maps then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.
AnalysisAI
Froxlor versions prior to 2.3.6 fail to validate domain ownership correctly when adding full email sender aliases, allowing authenticated customers to add sender aliases for email addresses on domains belonging to other customers and subsequently send emails as those addresses via Postfix sender_login_maps authorization. The vulnerability stems from an array indexing error in EmailSender::add() that passes the local part of an email address instead of the domain to the ownership validation function, causing the check to pass for non-existent domains. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today