Skip to content
Threat Feed

Product

Froxlor

4 briefs RSS
high advisory

Froxlor BIND Zone File Injection Vulnerability

Froxlor versions 2.3.4 and earlier are vulnerable to BIND zone file injection, where an attacker can inject newlines and BIND zone file directives via the DomainZones API, potentially leading to information disclosure, DNS service disruption, and zone data manipulation.

Froxlor bind zone-file-injection dns
2r 1t
critical advisory

Froxlor API Local File Inclusion leads to Remote Code Execution

Froxlor is vulnerable to local file inclusion via path traversal in the `def_language` parameter of the API, leading to remote code execution as the web server user.

Froxlor rce lfi php
2r 3t
critical advisory

Froxlor DataDump.add() Incomplete Symlink Validation Allows Arbitrary Directory Ownership Takeover

Froxlor versions before 2.3.6 are vulnerable to arbitrary directory ownership takeover via the DataDump.add() function due to incomplete symlink validation, allowing attackers to manipulate file ownership via a malicious symlink.

Froxlor symlink privilege-escalation
2r 1t 1c
critical advisory

Froxlor PHP Code Injection via Unescaped Single Quotes in userdata.inc.php

Froxlor is vulnerable to PHP code injection due to unescaped single quotes in the userdata.inc.php generation via the MysqlServer API, where an administrator with `change_serversettings` permission can inject arbitrary PHP code, leading to arbitrary OS command execution as the web server user.

Froxlor php-injection webserver
2r 2t