Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qOXdyLW1qNjktY3Ftds4AAjxa
Froxlor Exposure of Sensitive Information to an Unauthorized Actor
An issue was discovered in Froxlor through 0.10.15. The installer wrote configuration parameters including passwords into files in /tmp, setting proper permissions only after writing the sensitive data. A local attacker could have disclosed the information if he read the file at the right time, because of _createUserdataConf in install/lib/class.FroxlorInstall.php.
Permalink: https://github.com/advisories/GHSA-j9wr-mj69-cqmvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qOXdyLW1qNjktY3Ftds4AAjxa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 11 days ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-j9wr-mj69-cqmv, CVE-2020-10237
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-10237
- https://bugzilla.suse.com/show_bug.cgi?id=1165719
- https://github.com/advisories/GHSA-j9wr-mj69-cqmv
Affected Packages
packagist:froxlor/froxlor
Dependent packages: 0Dependent repositories: 0
Downloads: 20 total
Affected Version Ranges: <= 0.10.15
No known fixed version
All affected versions: 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.10.13, 0.10.14, 0.10.15