Description
An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.
References (4)
Core 4
Core References
Patch x_refsource_misc
https://github.com/Froxlor/Froxlor/commit/7e361274c5bf687b6a42dd1871f6d75506c5d207
Patch x_refsource_misc
https://github.com/Froxlor/Froxlor/commit/62ce21c9ec393f9962515c88f0c489ace42bf656
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.suse.com/show_bug.cgi?id=1165721
Patch x_refsource_misc
https://github.com/Froxlor/Froxlor/compare/0.10.13...0.10.14
Scores
CVSS v3
8.8
EPSS
0.0070
EPSS Percentile
72.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
CWE-116
Status
published
Products (2)
froxlor/froxlor
< 0.10.14
froxlor/froxlor
0 - 0.10.14Packagist
Published
Mar 09, 2020
Tracked Since
Feb 18, 2026