Michael Kaufmann

44 exploits Active since Jun 2018
CVE-2026-41237 WRITEUP HIGH WRITEUP
Froxlor <2.3.7 DNS Record Validation - Zone File Injection
Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0` has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Version 2.3.7 contains an updated patch.
CVE-2020-10235 WRITEUP HIGH WRITEUP
Froxlor < 0.10.14 - Remote Code Execution via Database Configuration Options
An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.
CVSS 8.8
CVE-2021-42325 WRITEUP CRITICAL WRITEUP
froxlor < 0.10.30 - SQL Injection via Custom DB Name
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
CVSS 9.8
CVE-2023-0315 WRITEUP HIGH WRITEUP
froxlor/froxlor <2.0.8 - Command Injection
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.
CVSS 8.8
CVE-2026-41228 WRITEUP CRITICAL WRITEUP
Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
CVSS 9.9
CVE-2026-41229 WRITEUP CRITICAL WRITEUP
Froxlor <2.3.6 MysqlServer API - PHP Code Injection
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.
CVSS 9.1
CVE-2026-41230 WRITEUP HIGH WRITEUP
Froxlor <2.3.6 DomainZones::add() - BIND Zone File Injection
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.
CVSS 8.5
CVE-2026-41231 WRITEUP HIGH WRITEUP
Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.
CVSS 7.5
CVE-2026-41232 WRITEUP MEDIUM WRITEUP
Froxlor <2.3.6 EmailSender::add() - Domain Ownership Bypass
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.
CVSS 5.0
CVE-2026-41233 WRITEUP MEDIUM WRITEUP
Froxlor <2.3.6 Domains.add() - Reseller Quota Bypass
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue.
CVSS 5.4
CVE-2026-30932 WRITEUP HIGH WRITEUP
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.
CVSS 8.8
CVE-2026-26279 WRITEUP CRITICAL WRITEUP
froxlor < 2.3.4 - Authenticated Remote Code Execution via Email Validation Bypass
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.
CVSS 9.1
CVE-2018-12642 WRITEUP HIGH WRITEUP
Froxlor <0.9.39.5 - Privilege Escalation
Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not owned by the current user.
CVSS 7.5
CVE-2020-10235 WRITEUP HIGH WRITEUP
Froxlor < 0.10.14 - Remote Code Execution via Database Configuration Options
An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.
CVSS 8.8
CVE-2020-10236 WRITEUP MEDIUM WRITEUP
Froxlor < 0.10.14 - Information Disclosure and Denial of Service via Static /tmp File Creation
An issue was discovered in Froxlor before 0.10.14. It created files with static names in /tmp during installation if the installation directory was not writable. This allowed local attackers to cause DoS or disclose information out of the config files, because of _createUserdataConf in install/lib/class.FroxlorInstall.php.
CVSS 6.1
CVE-2022-3017 WRITEUP MEDIUM WRITEUP
froxlor < 0.10.38 - Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 0.10.38.
CVSS 6.5
CVE-2022-3721 WRITEUP MEDIUM WRITEUP
froxlor < 0.10.39 - Code Injection
Code Injection in GitHub repository froxlor/froxlor prior to 0.10.39.
CVSS 4.6
CVE-2022-3869 WRITEUP MEDIUM WRITEUP
froxlor/froxlor <0.10.38.2 - Code Injection
Code Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2.
CVSS 6.1
CVE-2022-4864 WRITEUP MEDIUM WRITEUP
froxlor/froxlor <2.0.0-beta1 - Command Injection
Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
CVSS 5.4
CVE-2022-4867 WRITEUP MEDIUM WRITEUP
froxlor/froxlor <2.0.0-beta1 - CSRF
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
CVSS 4.3
CVE-2022-4868 WRITEUP MEDIUM WRITEUP
GitHub froxlor/froxlor <2.0.0-beta1 - Info Disclosure
Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
CVSS 4.3
CVE-2023-0316 WRITEUP MEDIUM WRITEUP
froxlor/froxlor <2.0.0 - Path Traversal
Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0.
CVSS 5.5
CVE-2023-0564 WRITEUP MEDIUM WRITEUP
GitHub froxlor/froxlor <2.0.10 - Info Disclosure
Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10.
CVSS 5.4
CVE-2023-0565 WRITEUP MEDIUM WRITEUP
froxlor/froxlor <2.0.10 - Info Disclosure
Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.10.
CVSS 5.5
CVE-2023-0566 WRITEUP MEDIUM WRITEUP
froxlor < 2.0.10 - Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in froxlor/froxlor prior to 2.0.10.
CVSS 6.2