Back

CVE-2024-34070

May 14, 2024, 4:12 p.m.

Awaiting Analysis
CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

Products

Froxlor

  • 2.1.9

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-79
2024-05-14
CVE-2024-34070

CVE-2024-34070 details

Published : May 14, 2024, 3:38 p.m.
Last Modified : May 14, 2024, 4:12 p.m.

Description

Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9.

CVSS Score

1 2 3 4 5 6 7 8 9.6 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

9.6

Exploitability Score

Impact Score

Base Severity

CRITICAL

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

URL Source
https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6 security-advisories@github.com
https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.