SB20260427160 - Multiple vulnerabilities in Froxlor

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Incorrect authorization (CVE-ID: CVE-2026-41233)

The vulnerability allows a remote user to bypass domain quotas and cause a denial of service.

The vulnerability exists due to incorrect authorization in Domains.add() in lib/Froxlor/Api/Commands/Domains.php when handling the adminid parameter from API requests. A remote user can supply a crafted adminid value to bypass domain quotas and cause a denial of service.

This issue affects resellers without the customers_see_all permission and can associate newly created domains with a different admin, making the domains invisible to the reseller in listings while remaining active on the server.

2) Incorrect authorization (CVE-ID: CVE-2026-41232)

The vulnerability allows a remote user to spoof email senders across customer domains.

The vulnerability exists due to incorrect authorization in EmailSender::add() when processing full email sender aliases. A remote user can add a sender alias for an email address on another customer's domain to spoof email senders across customer domains.

Only the full email address alias path is affected; the wildcard @domain path is not affected.

3) Link following (CVE-ID: CVE-2026-41231)

The vulnerability allows a remote user to take ownership of arbitrary directories and files, disclose sensitive information, modify data, and cause a denial of service.

The vulnerability exists due to improper link resolution before file access in DataDump.add() and ExportCron when processing a user-supplied export path that resolves through a symlink. A remote user can schedule a crafted data export to cause the cron job to recursively change ownership of the symlink target.

Exploitation requires the export feature to be enabled and is triggered when the export cron runs as root.

4) CRLF injection (CVE-ID: CVE-2026-41230)

The vulnerability allows a remote user to inject arbitrary DNS records and BIND directives, and cause a denial of service.

The vulnerability exists due to improper neutralization of CRLF sequences in DomainZones::add() and DnsEntry::__toString() when processing DNS record content for unsupported record types. A remote user can submit a specially crafted API request containing newline characters to inject arbitrary DNS records and BIND directives, and cause a denial of service.

Exploitation requires DNS editing to be enabled for the customer account, and injected lines are written into the domain's BIND zone file and parsed as independent records or directives.

5) Code Injection (CVE-ID: CVE-2026-41229)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in PhpHelper::parseArrayToString() when generating lib/userdata.inc.php from MysqlServer API input. A remote privileged user can supply a specially crafted privileged_user parameter to execute arbitrary code.

The injected code is loaded on every subsequent request through Database::getDB(), and exploitation can be performed by setting test_connection=0 to skip MySQL connection validation.

6) PHP file inclusion (CVE-ID: CVE-2026-41228)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of filename for include/require statement in PHP program in the Customers.update and Admins.update API endpoints and Language::loadLanguage() when processing the def_language parameter. A remote user can set def_language to a path traversal payload that references an attacker-controlled .lng.php file to execute arbitrary code.

Exploitation requires valid customer or admin API access and relies on a subsequent API request or fresh web login loading the stored def_language value.

Remediation

Install update from vendor's website.

References

• https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4
• https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
• https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r
• https://github.com/advisories/GHSA-75h4-c557-j89r
• https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c
• https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8
• https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7