Incorrect permission assignment for critical resource in Froxlor - #VU128190
Published: August 23, 2024 / Updated: April 27, 2026
Vulnerability identifier: #VU128190
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-732
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Froxlor
Froxlor
Software vendor:
froxlor
froxlor
Description
The vulnerability allows a local user to disclose sensitive information and potentially escalate privileges.
The vulnerability exists due to incorrect permission assignment for a critical resource in /etc/pure-ftpd/db/mysql.conf when generating configuration files for pure-ftpd. A local user can read the world-readable file to disclose sensitive information and potentially escalate privileges.
Only instances configured to use pure-ftpd are vulnerable. The issue can be exploited by unprivileged users with command or code execution access on the system, including virtual users able to run uploaded PHP scripts or other CGI programs.
Remediation
Install security update from vendor's website.