PT-2020-11991 · Froxlor · Froxlor

Johannes Segitz

Published

2020-03-09

Updated

2022-05-24

CVE-2020-10235

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 0.10.14

Description An issue was discovered that allows remote attackers with access to the installation routine to execute arbitrary code. This is due to the database configuration options being passed unescaped to exec in the backupExistingDatabase function in install/lib/class.FroxlorInstall.php.

Recommendations For versions prior to 0.10.14, update to version 0.10.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the installation routine to minimize the risk of exploitation.

Exploit

Fix

Improper Encoding or Escaping of Output

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116CWE-20CWE-78

Related Identifiers

CVE-2020-10235

GHSA-P29C-JPGJ-V57R

Affected Products

Froxlor

PT-2020-11991 · Froxlor · Froxlor

CVE-2020-10235

Weakness Enumeration

Related Identifiers

Affected Products

References · 8