Information disclosure in Froxlor - #VU135778

 

Information disclosure in Froxlor - #VU135778

Published: June 29, 2026


Vulnerability identifier: #VU135778
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: froxlor
Affected software:
Froxlor

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive authentication material and compromise affected accounts.

The vulnerability exists due to exposure of sensitive information in Froxlor API command classes when handling API get and listing requests. A remote privileged user can send crafted API requests to disclose sensitive authentication material and compromise affected accounts.

The issue affects customer, administrator, and FTP API responses that return password hashes, and customer and administrator responses may also expose Base32-encoded TOTP seed material when 2FA is enabled.


Remediation

Install security update from vendor's website.

Sources