Product
Froxlor BIND Zone File Injection Vulnerability
2 rules 1 TTPFroxlor versions 2.3.4 and earlier are vulnerable to BIND zone file injection, where an attacker can inject newlines and BIND zone file directives via the DomainZones API, potentially leading to information disclosure, DNS service disruption, and zone data manipulation.
Froxlor API Local File Inclusion leads to Remote Code Execution
2 rules 3 TTPsFroxlor is vulnerable to local file inclusion via path traversal in the `def_language` parameter of the API, leading to remote code execution as the web server user.
Froxlor DataDump.add() Incomplete Symlink Validation Allows Arbitrary Directory Ownership Takeover
2 rules 1 TTP 1 CVEFroxlor versions before 2.3.6 are vulnerable to arbitrary directory ownership takeover via the DataDump.add() function due to incomplete symlink validation, allowing attackers to manipulate file ownership via a malicious symlink.
Froxlor PHP Code Injection via Unescaped Single Quotes in userdata.inc.php
2 rules 2 TTPsFroxlor is vulnerable to PHP code injection due to unescaped single quotes in the userdata.inc.php generation via the MysqlServer API, where an administrator with `change_serversettings` permission can inject arbitrary PHP code, leading to arbitrary OS command execution as the web server user.