SB2026062993 - Multiple vulnerabilities in Froxlor



SB2026062993 - Multiple vulnerabilities in Froxlor

Published: June 29, 2026

Security Bulletin ID SB2026062993
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Privilege escalation

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Information disclosure (CVE-ID: N/A)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive authentication material and compromise affected accounts.

The vulnerability exists due to exposure of sensitive information in Froxlor API command classes when handling API get and listing requests. A remote privileged user can send crafted API requests to disclose sensitive authentication material and compromise affected accounts.

The issue affects customer, administrator, and FTP API responses that return password hashes, and customer and administrator responses may also expose Base32-encoded TOTP seed material when 2FA is enabled.


2) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-54543)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject additional DNS resource records into a generated zone file.

The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the DomainZones.add API command and DNS zone-file serialization when processing user-controlled record and type fields. A remote user can submit crafted record or type values containing line delimiters, tab characters, or comment delimiters to inject additional DNS resource records into a generated zone file.

The issue is limited to domains the user can manage, and no cross-tenant impact is established.


3) SQL injection (CVE-ID: CVE-2026-54348)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the Admins.add, Admins.update, and IpsAndPorts.listing API workflow when processing a stored `ipaddress` value and later building a dynamic `IN` clause from it. A remote privileged user can store a crafted SQL payload through the `ipaddress` parameter and trigger it via `IpsAndPorts.listing` to disclose sensitive information.

The issue is second-order and requires an authenticated administrator API key with `change_serversettings = 1`.


4) Cross-site scripting (CVE-ID: CVE-2026-54347)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser and take over the administrator account.

The vulnerability exists due to cross-site scripting in the DNS editor TXT record content rendering path when an administrator views the DNS configuration of an affected domain. A remote user can inject a crafted DNS TXT record to execute arbitrary JavaScript in an administrator's browser and take over the administrator account.

DNS functionality and DNS editor access must be enabled, and user interaction is limited to the administrator visiting the DNS editor page for the affected domain.


5) Cross-site request forgery (CVE-ID: N/A)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform unauthorized actions.

The vulnerability exists due to missing cross-site request forgery protection in the AJAX endpoint lib/ajax.php?action=editapikey when handling crafted cross-site requests. A remote attacker can trick the victim into visiting a crafted page to perform unauthorized actions.

User interaction is required to load the crafted page.


6) CRLF injection (CVE-ID: N/A)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to inject arbitrary web server configuration directives and disclose sensitive information.

The vulnerability exists due to improper neutralization of crlf sequences in subdomain redirect URL handling in lib/Froxlor/Api/Commands/SubDomains.php when processing customer-supplied redirect URLs during subdomain creation or update. A remote user can supply a redirect URL containing literal newline characters to inject arbitrary web server configuration directives and disclose sensitive information.

The injected content is written into nginx or Apache virtual host configuration files during the cron rebuild cycle, and a malformed payload can cause a denial of service for all hosted customers while a crafted payload can affect other hosted domains.


Remediation

Install update from vendor's website.