Homepage
About Snyk

Arbitrary Code Execution Affecting froxlor/froxlor package, versions <0.10.14

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.53% (78th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-FROXLORFROXLOR-559544
  • published 9 Mar 2020
  • disclosed 9 Mar 2020
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 9 Mar 2020

CVE-2020-10235 Open this link in a new tab
CWE-94 Open this link in a new tab

How to fix?

Upgrade froxlor/froxlor to version 0.10.14 or higher.

Overview

froxlor/froxlor is a server administration software.

Affected versions of this package are vulnerable to Arbitrary Code Execution. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    Low
Expand this section

NVD

8.8 high