CRLF injection in Froxlor - #VU135783

 

CRLF injection in Froxlor - #VU135783

Published: June 29, 2026


Vulnerability identifier: #VU135783
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-93
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: froxlor
Affected software:
Froxlor

Detailed vulnerability description

The vulnerability allows a remote user to inject arbitrary web server configuration directives and disclose sensitive information.

The vulnerability exists due to improper neutralization of crlf sequences in subdomain redirect URL handling in lib/Froxlor/Api/Commands/SubDomains.php when processing customer-supplied redirect URLs during subdomain creation or update. A remote user can supply a redirect URL containing literal newline characters to inject arbitrary web server configuration directives and disclose sensitive information.

The injected content is written into nginx or Apache virtual host configuration files during the cron rebuild cycle, and a malformed payload can cause a denial of service for all hosted customers while a crafted payload can affect other hosted domains.


Remediation

Install security update from vendor's website.

Sources