Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNzM5LWd3NnEtZjRjN807Vw
HTML Injection in Froxlor
Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.
Note: Froxlor version 0.10.22 introduces AntiXSS cross-site scripting protection, but AntiXSS only provides partial protection for this particular issue.
Permalink: https://github.com/advisories/GHSA-j739-gw6q-f4c7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNzM5LWd3NnEtZjRjN807Vw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-j739-gw6q-f4c7, CVE-2020-29653
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-29653
- https://github.com/Froxlor/Froxlor/security/advisories
- https://nozero.io/en/cve-2020-29653-froxlor-html-injection-dangling-markup/
- https://github.com/Froxlor/Froxlor/commit/6bf5eccc2477257b6c1760a3c3784ae7e0554ce0
- https://github.com/advisories/GHSA-j739-gw6q-f4c7
Blast Radius: 1.0
Affected Packages
packagist:froxlor/froxlor
Dependent packages: 0Dependent repositories: 0
Downloads: 19 total
Affected Version Ranges: <= 0.10.22
No known fixed version
All affected versions: 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.10.13, 0.10.14, 0.10.15, 0.10.16, 0.10.17, 0.10.18, 0.10.19, 0.10.20, 0.10.21, 0.10.22