CVE-2024-34070

Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 2.1.9

Description A Stored Blind Cross-Site Scripting (XSS) vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated user can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, an attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. The vulnerability can lead to defacement of the Application and allow attackers to steal sensitive information such as login credentials, session tokens, and personally identifiable information (PII).

Recommendations For versions prior to 2.1.9, update to version 2.1.9 to fix the vulnerability. As a temporary workaround, consider implementing thorough input validation and sanitization mechanisms on all user inputs, and sanitize malicious Javascript functions to prevent data binding and interpolation of Vue.js. Restrict access to the System Logs to minimize the risk of exploitation. Avoid using the loginname parameter in the affected Login attempt until the issue is resolved.