SB2026062993 - Multiple vulnerabilities in Froxlor
Published: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive authentication material and compromise affected accounts.
The vulnerability exists due to exposure of sensitive information in Froxlor API command classes when handling API get and listing requests. A remote privileged user can send crafted API requests to disclose sensitive authentication material and compromise affected accounts.
The issue affects customer, administrator, and FTP API responses that return password hashes, and customer and administrator responses may also expose Base32-encoded TOTP seed material when 2FA is enabled.
CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject additional DNS resource records into a generated zone file.
The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the DomainZones.add API command and DNS zone-file serialization when processing user-controlled record and type fields. A remote user can submit crafted record or type values containing line delimiters, tab characters, or comment delimiters to inject additional DNS resource records into a generated zone file.
The issue is limited to domains the user can manage, and no cross-tenant impact is established.
3) SQL injection (CVE-ID: CVE-2026-54348)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the Admins.add, Admins.update, and IpsAndPorts.listing API workflow when processing a stored `ipaddress` value and later building a dynamic `IN` clause from it. A remote privileged user can store a crafted SQL payload through the `ipaddress` parameter and trigger it via `IpsAndPorts.listing` to disclose sensitive information.
The issue is second-order and requires an authenticated administrator API key with `change_serversettings = 1`.
4) Cross-site scripting (CVE-ID: CVE-2026-54347)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser and take over the administrator account.
The vulnerability exists due to cross-site scripting in the DNS editor TXT record content rendering path when an administrator views the DNS configuration of an affected domain. A remote user can inject a crafted DNS TXT record to execute arbitrary JavaScript in an administrator's browser and take over the administrator account.
DNS functionality and DNS editor access must be enabled, and user interaction is limited to the administrator visiting the DNS editor page for the affected domain.
5) Cross-site request forgery (CVE-ID: N/A)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform unauthorized actions.
The vulnerability exists due to missing cross-site request forgery protection in the AJAX endpoint lib/ajax.php?action=editapikey when handling crafted cross-site requests. A remote attacker can trick the victim into visiting a crafted page to perform unauthorized actions.
User interaction is required to load the crafted page.
6) CRLF injection (CVE-ID: N/A)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to inject arbitrary web server configuration directives and disclose sensitive information.
The vulnerability exists due to improper neutralization of crlf sequences in subdomain redirect URL handling in lib/Froxlor/Api/Commands/SubDomains.php when processing customer-supplied redirect URLs during subdomain creation or update. A remote user can supply a redirect URL containing literal newline characters to inject arbitrary web server configuration directives and disclose sensitive information.
The injected content is written into nginx or Apache virtual host configuration files during the cron rebuild cycle, and a malformed payload can cause a denial of service for all hosted customers while a crafted payload can affect other hosted domains.
Remediation
Install update from vendor's website.
References
- https://github.com/froxlor/froxlor/security/advisories/GHSA-7788-ghfq-c6mh
- https://github.com/froxlor/froxlor/security/advisories/GHSA-5rw4-4665-cvwf
- https://github.com/froxlor/froxlor/security/advisories/GHSA-w27m-rmmf-g5w4
- https://github.com/froxlor/froxlor/security/advisories/GHSA-43gm-9rr3-cx7g
- https://github.com/froxlor/froxlor/security/advisories/GHSA-xpr4-8vp6-c87j
- https://github.com/froxlor/froxlor/security/advisories/GHSA-c3p2-mj7v-5mrc