Froxlor
Monthly
Froxlor versions prior to 2.3.6 allow authenticated resellers to bypass domain quota restrictions by attributing newly created domains to arbitrary admins through unvalidated `adminid` parameter input in the `Domains.add()` function. This vulnerability enables quota exhaustion attacks against other administrators and domain creation beyond the attacker's assigned limits, with confirmed patch availability in version 2.3.6.
Froxlor versions prior to 2.3.6 fail to validate domain ownership correctly when adding full email sender aliases, allowing authenticated customers to add sender aliases for email addresses on domains belonging to other customers and subsequently send emails as those addresses via Postfix sender_login_maps authorization. The vulnerability stems from an array indexing error in EmailSender::add() that passes the local part of an email address instead of the domain to the ownership validation function, causing the check to pass for non-existent domains. No active exploitation has been confirmed at the time of analysis.
Symlink-based privilege escalation in Froxlor versions prior to 2.3.6 allows authenticated customers to gain ownership of arbitrary system directories. When the ExportCron executes as root, it performs 'chown -R' on user-controlled export paths that bypass symlink validation (introduced to fix CVE-2023-6069), enabling attackers to place symbolic links and hijack ownership of critical system files. This is a regression of the CVE-2023-6069 fix where DataDump.add() failed to apply the same symlink protections used elsewhere. EPSS data unavailable; no evidence of active exploitation (not in CISA KEV), but the specific vulnerability class (symlink following in privileged operations) has well-known exploitation patterns. Patch available in version 2.3.6.
DNS zone file injection in Froxlor versions prior to 2.3.6 allows authenticated customers to inject arbitrary BIND directives and DNS records through unvalidated record types and unsanitized newline characters. Attackers with low-privilege customer accounts can manipulate DNS resolution for managed domains by embedding malicious directives like $INCLUDE, $ORIGIN, or $GENERATE into zone files, potentially redirecting traffic, creating unauthorized records, or disrupting DNS services. CVSS 8.5 with scope change indicates impact beyond the vulnerable component. Vendor patch released in version 2.3.6 (GitHub commit 47a8af5d). No CISA KEV listing or public exploit identified at time of analysis, but attack complexity is low (AC:L) for authenticated users.
Command injection in Froxlor server admin before 2.3.4 due to typo (== instead of =) disabling input validation entirely. PoC and patch available.
Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue.
Froxlor is open-source server administration software. Rated medium severity (CVSS 5.8), this vulnerability is low attack complexity. Public exploit code available.
Froxlor versions prior to 2.3.6 allow authenticated resellers to bypass domain quota restrictions by attributing newly created domains to arbitrary admins through unvalidated `adminid` parameter input in the `Domains.add()` function. This vulnerability enables quota exhaustion attacks against other administrators and domain creation beyond the attacker's assigned limits, with confirmed patch availability in version 2.3.6.
Froxlor versions prior to 2.3.6 fail to validate domain ownership correctly when adding full email sender aliases, allowing authenticated customers to add sender aliases for email addresses on domains belonging to other customers and subsequently send emails as those addresses via Postfix sender_login_maps authorization. The vulnerability stems from an array indexing error in EmailSender::add() that passes the local part of an email address instead of the domain to the ownership validation function, causing the check to pass for non-existent domains. No active exploitation has been confirmed at the time of analysis.
Symlink-based privilege escalation in Froxlor versions prior to 2.3.6 allows authenticated customers to gain ownership of arbitrary system directories. When the ExportCron executes as root, it performs 'chown -R' on user-controlled export paths that bypass symlink validation (introduced to fix CVE-2023-6069), enabling attackers to place symbolic links and hijack ownership of critical system files. This is a regression of the CVE-2023-6069 fix where DataDump.add() failed to apply the same symlink protections used elsewhere. EPSS data unavailable; no evidence of active exploitation (not in CISA KEV), but the specific vulnerability class (symlink following in privileged operations) has well-known exploitation patterns. Patch available in version 2.3.6.
DNS zone file injection in Froxlor versions prior to 2.3.6 allows authenticated customers to inject arbitrary BIND directives and DNS records through unvalidated record types and unsanitized newline characters. Attackers with low-privilege customer accounts can manipulate DNS resolution for managed domains by embedding malicious directives like $INCLUDE, $ORIGIN, or $GENERATE into zone files, potentially redirecting traffic, creating unauthorized records, or disrupting DNS services. CVSS 8.5 with scope change indicates impact beyond the vulnerable component. Vendor patch released in version 2.3.6 (GitHub commit 47a8af5d). No CISA KEV listing or public exploit identified at time of analysis, but attack complexity is low (AC:L) for authenticated users.
Command injection in Froxlor server admin before 2.3.4 due to typo (== instead of =) disabling input validation entirely. PoC and patch available.
Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue.
Froxlor is open-source server administration software. Rated medium severity (CVSS 5.8), this vulnerability is low attack complexity. Public exploit code available.