Search for packages
| purl | pkg:composer/froxlor/froxlor@0.10.20 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-13gb-yr6z-n7cc
Aliases: CVE-2023-0877 GHSA-vp4r-h765-5mwp |
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11. |
Affected by 24 other vulnerabilities. |
|
VCID-1rwn-9phn-kkb4
Aliases: CVE-2026-30932 GHSA-x6w6-2xwp-3jh6 |
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5. |
Affected by 6 other vulnerabilities. |
|
VCID-2mym-uwpj-v3he
Aliases: CVE-2023-0572 GHSA-3chw-8jq2-w769 |
Unchecked Error Condition in GitHub repository froxlor/froxlor prior to 2.0.10. |
Affected by 26 other vulnerabilities. |
|
VCID-38ph-pcue-zydu
Aliases: CVE-2023-4304 GHSA-9rmf-6qgj-g3wj |
Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22,2.1.0. |
Affected by 15 other vulnerabilities. |
|
VCID-44fu-9q5x-uuf8
Aliases: CVE-2023-2666 GHSA-4gm9-c9jq-g523 |
Allocation of Resources Without Limits or Throttling in GitHub repository froxlor/froxlor prior to 2.0.16. |
Affected by 21 other vulnerabilities. |
|
VCID-7e6h-qe19-jken
Aliases: CVE-2025-29773 GHSA-7j6w-p859-464f |
Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attack vector is email-based, as the system does not prevent multiple accounts from registering the same email address, leading to possible conflicts and security issues. Version 2.2.6 fixes the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-8c8t-7j1p-3baa
Aliases: CVE-2022-4867 GHSA-6gwx-gw56-qhf7 |
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. |
Affected by 0 other vulnerabilities. |
|
VCID-9t9n-1hhp-3yga
Aliases: CVE-2026-41228 GHSA-w59f-67xm-rxx7 |
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue. |
Affected by 4 other vulnerabilities. |
|
VCID-atns-wuzm-kqh2
Aliases: CVE-2026-41230 GHSA-47hf-23pw-3m8c |
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue. |
Affected by 4 other vulnerabilities. |
|
VCID-d48t-6m2w-s7h2
Aliases: CVE-2023-0565 GHSA-vqqm-c9gx-773q |
Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.10. |
Affected by 26 other vulnerabilities. |
|
VCID-dptm-3z1r-bubj
Aliases: CVE-2024-34070 GHSA-x525-54hf-xr53 |
Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9. |
Affected by 11 other vulnerabilities. |
|
VCID-e8hu-xceh-cygy
Aliases: CVE-2021-42325 GHSA-6fvw-x6gw-4wv8 |
Froxlor SQL injection vulnerability |
Affected by 39 other vulnerabilities. |
|
VCID-ebbm-gvf6-xfbd
Aliases: CVE-2026-41229 GHSA-gc9w-cc93-rjv8 |
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch. |
Affected by 4 other vulnerabilities. |
|
VCID-f15s-unrj-57ax
Aliases: CVE-2023-3192 GHSA-jr66-9ghf-6gp3 |
Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0. |
Affected by 13 other vulnerabilities. |
|
VCID-gfgb-su1s-ubaj
Aliases: CVE-2023-3173 GHSA-chw4-88xc-79w6 |
Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20. |
Affected by 19 other vulnerabilities. |
|
VCID-gxb4-1jgt-z3a8
Aliases: CVE-2022-3721 GHSA-h95w-p3x6-wwj6 |
Code Injection in GitHub repository froxlor/froxlor prior to 0.10.39. |
Affected by 0 other vulnerabilities. |
|
VCID-gyny-xdxc-vyg7
Aliases: CVE-2022-4868 GHSA-w6qf-j4qr-f946 |
Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. |
Affected by 0 other vulnerabilities. |
|
VCID-hhky-38kt-9fcd
Aliases: CVE-2022-4864 GHSA-3v7m-2jrh-vc93 |
Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. |
Affected by 0 other vulnerabilities. |
|
VCID-hhmm-9bdt-fyb5
Aliases: CVE-2023-2034 GHSA-qwvp-g9j7-28f6 |
Unrestricted Upload of File with Dangerous Type in GitHub repository froxlor/froxlor prior to 2.0.14. |
Affected by 22 other vulnerabilities. |
|
VCID-hr4y-q8gp-5ua5
Aliases: CVE-2023-0566 GHSA-w7w4-qjgg-372x |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in froxlor/froxlor prior to 2.0.10. |
Affected by 26 other vulnerabilities. |
|
VCID-hs15-esbz-bfhb
Aliases: CVE-2023-0671 GHSA-9fqc-9cpr-w73q |
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10. |
Affected by 26 other vulnerabilities. |
|
VCID-hwdk-umd9-pbhp
Aliases: CVE-2020-29653 GHSA-j739-gw6q-f4c7 |
HTML Injection in Froxlor |
Affected by 40 other vulnerabilities. |
|
VCID-jvvz-9twe-8fb1
Aliases: CVE-2025-48958 GHSA-26xq-m8xw-6373 |
Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-mgwv-2pj5-pqav
Aliases: CVE-2023-0316 GHSA-xp3g-2729-rxm3 |
Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0. |
Affected by 32 other vulnerabilities. |
|
VCID-nbu9-sey3-w7es
Aliases: CVE-2026-41232 GHSA-vmjj-qr7v-pxm6 |
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue. |
Affected by 4 other vulnerabilities. |
|
VCID-nf6w-t7ew-ryde
Aliases: CVE-2023-1033 GHSA-p7qq-rrvw-x55x |
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11. |
Affected by 24 other vulnerabilities. |
|
VCID-p242-zj5r-7faw
Aliases: CVE-2023-0315 GHSA-cp68-42pf-6627 |
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8. |
Affected by 31 other vulnerabilities. |
|
VCID-p627-qr92-mkdp
Aliases: CVE-2022-3017 GHSA-9xgp-3mxp-rv7x |
Froxlor vulnerable to Cross-Site Request Forgery (CSRF) |
Affected by 38 other vulnerabilities. |
|
VCID-qyzq-4avu-zugu
Aliases: CVE-2022-3869 GHSA-6rjv-xxgr-v57x |
Code Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2. |
Affected by 0 other vulnerabilities. |
|
VCID-rw5a-bgxw-bfbd
Aliases: CVE-2026-26279 GHSA-33mp-8p67-xj7c |
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4. |
Affected by 7 other vulnerabilities. |
|
VCID-tk6b-p759-jyfv
Aliases: CVE-2023-5564 GHSA-j5hq-6frc-64v3 |
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1. |
Affected by 0 other vulnerabilities. |
|
VCID-tvgb-xmfz-tuf6
Aliases: CVE-2026-41233 GHSA-jvx4-xv3m-hrj4 |
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue. |
Affected by 4 other vulnerabilities. |
|
VCID-u4pt-mr2z-j3f2
Aliases: GHSA-34qg-65m4-f23m |
Froxlor: /etc/pure-ftpd/db/mysql.conf is chmod 644 but contains <SQL_UNPRIVILEGED_PASSWORD> |
Affected by 10 other vulnerabilities. |
|
VCID-unh1-2xmh-qbcs
Aliases: CVE-2023-0564 GHSA-pm72-27mg-fc28 |
Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10. |
Affected by 26 other vulnerabilities. |
|
VCID-vbvy-j84s-zygu
Aliases: CVE-2023-3172 GHSA-ghqq-jfx7-f6m9 |
Path Traversal in GitHub repository froxlor/froxlor prior to 2.0.20. |
Affected by 19 other vulnerabilities. |
|
VCID-w7xv-k4rd-v7bq
Aliases: CVE-2026-41231 GHSA-75h4-c557-j89r |
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix. |
Affected by 4 other vulnerabilities. |
|
VCID-x93s-u6kq-fbbe
Aliases: CVE-2023-50256 GHSA-625g-fm5w-w7w4 |
Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue. |
Affected by 12 other vulnerabilities. |
|
VCID-xpgs-hpf3-3qff
Aliases: CVE-2023-1307 GHSA-j83x-r9qq-9g4v |
Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13. |
Affected by 23 other vulnerabilities. |
|
VCID-y4zg-wf1d-4bcm
Aliases: CVE-2023-4829 GHSA-cvwv-h85m-w37h |
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22. |
Affected by 15 other vulnerabilities. |
|
VCID-yqdf-v5wf-j3bj
Aliases: CVE-2023-6069 GHSA-4jch-8qq5-hqg6 |
Affected by 14 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
|
VCID-zrvp-d87z-p7dy
Aliases: CVE-2023-3668 GHSA-c6v5-pf66-xfq8 |
Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21. |
Affected by 17 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||