CVE-2020-29653

Name of the Vulnerable Software and Affected Versions: Froxlor versions 0.10.22 and earlier

Description: The issue concerns a lack of validation on user input passed in the customermail GET parameter. This allows the injection of arbitrary HTML tags, which are reflected in the login webpage. This can potentially be used to steal login credentials.

Recommendations: For Froxlor versions 0.10.22 and earlier, consider disabling the reflection of user input in the login webpage until a proper fix is available. Restrict access to the customermail parameter to minimize the risk of exploitation. Note that while Froxlor version 0.10.22 introduces AntiXSS cross-site scripting protection, it only provides partial protection for this particular issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.