SB2026062992 - Multiple vulnerabilities in Froxlor



SB2026062992 - Multiple vulnerabilities in Froxlor

Published: June 29, 2026

Security Bulletin ID SB2026062992
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 43% Low 57%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Improper Authorization (CVE-ID: N/A)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to create MySQL databases on disallowed servers.

The vulnerability exists due to improper authorization in the Mysqls.add API command when processing a customer-supplied mysql_server parameter. A remote user can send a specially crafted API request to create MySQL databases on disallowed servers.

Exploitation requires valid customer API credentials and is limited to creating and managing a newly provisioned database on an operator-configured server outside the customer's allowlist.


2) Information disclosure (CVE-ID: N/A)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in customer_email.php when rendering the sender-delete confirmation page with a supplied senderid value. A remote user can supply a foreign sender alias identifier to disclose sensitive information.

Only instances with mail.enable_allow_sender enabled are vulnerable.


3) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-41237)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary DNS records into bind9 zone files.

The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in DnsEntry.php when processing DNS record content for LOC, RP, SSHFP, and TLSA records. A remote user can submit crafted DNS record content with embedded newlines to inject arbitrary DNS records into bind9 zone files.

Exploitation requires DNS management permissions.


4) Link following (CVE-ID: CVE-2026-41236)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to escalate privileges to root.

The vulnerability exists due to improper link resolution before file access in the SSH key synchronization path for ~/.ssh/authorized_keys when processing SSH key synchronization for a customer-controlled home directory. A remote user can replace ~/.ssh/authorized_keys with a symbolic link to /root/.ssh/authorized_keys and submit a public key to escalate privileges to root.

Exploitation requires a shell-enabled customer account, control over the assigned home directory, and execution of the root-owned cron synchronization task.


5) Incorrect authorization (CVE-ID: CVE-2026-41235)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to gain host shell access.

The vulnerability exists due to improper access control in the FTP account handlers when processing add or edit requests for FTP shell assignment. A remote user can submit an arbitrary shell outside the configured whitelist to gain host shell access.

Exploitation requires an authenticated customer session, a valid CSRF token, customer shell delegation to be enabled for that customer, and deployment with the default nssextrausers integration so the chosen shell is propagated into the system account database.


6) Improper Authentication (CVE-ID: N/A)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass two-factor authentication and gain full access to API operations.

The vulnerability exists due to improper authentication in FroxlorRPC::validateAuth when handling API authentication with an API key and secret for an account with 2FA enabled. A remote user can use a leaked API key and secret to bypass two-factor authentication and gain full access to API operations.

The issue affects accounts that have 2FA enabled because the API path does not issue or verify a TOTP challenge, unlike the web UI.


7) Input validation error (CVE-ID: CVE-2026-41234)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary DNS records, disclose sensitive information, and cause a denial of service.

The vulnerability exists due to improper input validation in the DomainZones.add API endpoint when processing TXT record content containing newline characters. A remote user can submit a specially crafted TXT record value to inject arbitrary BIND directives and DNS records into the generated zone file to inject arbitrary DNS records, disclose sensitive information, and cause a denial of service.

Exploitation requires DNS editing to be enabled for the customer, and the injected content is written to disk when the DNS rebuild cron regenerates the zone file.


Remediation

Install update from vendor's website.