CVE-2021-42325

CRITICAL

froxlor < 0.10.30 - SQL Injection via Custom DB Name

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-42325. PoCs published by Martin Cernac, AK-blank.

AI-analyzed exploit summary This exploit demonstrates an authenticated SQL injection in Froxlor 0.10.28 and 0.10.29.x, allowing privilege escalation to administrator and subsequent remote code execution as root via manipulation of the 'Webserver reload command' field.

Description

Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.

Exploits (2)

exploitdb WORKING POC

by Martin Cernac · textwebappsphp

https://www.exploit-db.com/exploits/50502

View Code ZIP pw:eip

This exploit demonstrates an authenticated SQL injection in Froxlor 0.10.28 and 0.10.29.x, allowing privilege escalation to administrator and subsequent remote code execution as root via manipulation of the 'Webserver reload command' field.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Froxlor 0.10.28, 0.10.29, 0.10.29.1

Auth required

Prerequisites: Access to a customer account · Ability to specify database name when creating a database

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 1 stars

by AK-blank · poc

https://github.com/AK-blank/CVE-2021-42325-

View Code ZIP pw:eip

This repository contains a README.md file referencing CVE-2021-42325, a vulnerability in Apache HTTP Server 2.4.49 and 2.4.50, with a link to an ExploitDB entry. No actual exploit code is present.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache HTTP Server 2.4.49 and 2.4.50

No auth needed

Prerequisites: none

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782

View Patch ZIP pw:eip

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.html

Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/50502

Scores

CVSS v3 9.8

EPSS 0.0552

EPSS Percentile 90.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (2)

froxlor/froxlor < 0.10.30

froxlor/froxlor 0 - 0.10.30Packagist

Published Oct 12, 2021

Tracked Since Feb 18, 2026