Information disclosure in Froxlor - #VU135778
Published: June 29, 2026
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive authentication material and compromise affected accounts.
The vulnerability exists due to exposure of sensitive information in Froxlor API command classes when handling API get and listing requests. A remote privileged user can send crafted API requests to disclose sensitive authentication material and compromise affected accounts.
The issue affects customer, administrator, and FTP API responses that return password hashes, and customer and administrator responses may also expose Base32-encoded TOTP seed material when 2FA is enabled.