Advisories for Composer/Froxlor/Froxlor package

In Froxlor 2.1.9 and in the HEADs of the main, v2.2 and v2.1 branches , the XML templates in lib/configfiles/ set chmod 644 for /etc/pure-ftpd/db/mysql.conf, although that file contains <SQL_UNPRIVILEGED_PASSWORD>. At least on Debian 12, all parent directories of /etc/pure-ftpd/db/mysql.conf are world readable by default, thus exposing these credentials to all users with access to the system. Only Froxlor instances configured to use pure-ftpd are affected/vulnerable.

Description: A Stored Blind Cross-Site Scripting (XSS) vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. Stored Blind XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, an unauthenticated User can inject malicious scripts in the loginname …

Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.

Improper Input Validation in GitHub repository froxlor/froxlor prior to 2.1.0.

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22.

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.

Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22

Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21.

Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0.

Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20.

Path Traversal in GitHub repository froxlor/froxlor prior to 2.0.20.

Allocation of Resources Without Limits or Throttling in GitHub repository froxlor/froxlor prior to 2.0.16.

Unrestricted Upload of File with Dangerous Type in GitHub repository froxlor/froxlor prior to 2.0.14.

Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13.

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11.

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11.

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.

Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10.

Unchecked Error Condition in GitHub repository froxlor/froxlor prior to 2.0.10.

Static Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.

Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.10.

Path Traversal: '..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0.

Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.

Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

Code Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2.

Code Injection in GitHub repository froxlor/froxlor prior to 0.10.39.

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 0.10.38.

Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.

Multiple cross-site scripting (XSS) vulnerabilities in the Customer Add module of Foxlor v0.10.16 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the name, firstname, or username input fields.

Froxl allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.

An issue was discovered in Froxlor. The installer wrote configuration parameters including passwords into files in /tmp, setting proper permissions only after writing the sensitive data. A local attacker could have disclosed the information if he read the file at the right time, the flaw exists in _createUserdataConf of the install/lib/class.FroxlorInstall.php file.

An issue was discovered in Froxlor. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, the flaw exists in _backupExistingDatabase of the install/lib/class.FroxlorInstall.php file.

An issue was discovered in Froxlor. It created files with static names in /tmp during installation if the installation directory was not writable. This allowed local attackers to cause DoS or disclose information out of the config files, the flaw exists in _createUserdataConf of the install/lib/class.FroxlorInstall.php file.

Froxlor version Contains a code injection vulnerability.

Froxl has Incorrect Access Control for tickets not owned by the current user.

Froxl uses the PHP rand function for random number generation, which makes it easier for remote attackers to guess the password reset token by predicting a value.