Arbitrary Code Execution Vulnerability in Froxlor by Froxlor Development Team
CVE-2020-10235

8.8HIGH

Key Information:

Vendor

Froxlor

Status
Froxlor
Vendor
CVE Published:
9 March 2020

What is CVE-2020-10235?

A vulnerability in Froxlor prior to version 0.10.14 allows remote attackers with access to the installation routine to execute arbitrary code. The flaw arises from the database configuration options being passed unescaped to the exec function within the _backupExistingDatabase method located in install/lib/class.FroxlorInstall.php. This can lead to unauthorized commands being executed, potentially compromising the affected systems. It is critical for users to update to the latest version to mitigate this risk.

References

https://github.com/Froxlor/Froxlor/commit/7e361274c5bf687...
x_refsource_MISC
https://github.com/Froxlor/Froxlor/commit/62ce21c9ec393f9...
x_refsource_MISC
https://bugzilla.suse.com/show_bug.cgi?id=1165721
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.