Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS02MjVnLWZtNXctdzd3NM4AA4Mn

High EPSS: 0.00045% (0.13454 Percentile) EPSS:
Permalink JSON

Froxlor username/surname AND company field Bypass

Affected Packages Affected Versions Fixed Versions
packagist:froxlor/froxlor <= 2.1.1 2.1.2
0 Dependent packages
0 Dependent repositories
22 Downloads total

Affected Version Ranges

All affected versions

0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.10.13, 0.10.14, 0.10.15, 0.10.16, 0.10.17, 0.10.18, 0.10.19, 0.10.20, 0.10.21, 0.10.22, 0.10.23, 0.10.24, 0.10.25, 0.10.26, 0.10.27, 0.10.28, 0.10.29, 0.10.30, 0.10.31, 0.10.32, 0.10.33, 0.10.34, 0.10.35, 0.10.36, 0.10.37, 0.10.38, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.1.0, 2.1.1

All unaffected versions

2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8

Dear Sirs and Madams,

I would like to report a business logic error vulnerability that I discovered during my recent penetration test on Froxlor.

Specifically, I identified an issue where it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements established by the system.

The surname, family name AND company name all of them can be left blank.

I believe addressing this vulnerability is crucial to ensure the security and integrity of the Froxlor platform.

Thank you for your attention to this matter.

This action served as a means to bypass the mandatory field requirements.

Lets see (please have a look at the Video -> attachment).

as you can see i was able to let the username and second name blank.

https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4

Lets see again.

Only the company name is set.

Thank you for your time

Froxlor 2
Froxlor 1

References:

Identifiers

GHSA-625g-fm5w-w7w4

CVE-2023-50256

Risk

Severity

High

EPSS

EPSS Percentage: 0.00045

EPSS Percentile: 0.13454

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/Froxlor/Froxlor

Date and time

Published

over 1 year ago

Updated

over 1 year ago

API

JSON