CVSS: 8.8EPSS: 58%CPEs: 1EXPL: 3CVE-2023-0315 – Command Injection in froxlor/froxlor
https://notcve.org/view.php?id=CVE-2023-0315
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8. Froxlor versions 2.0.6 and below suffer from a bug that allows authenticated users to change the application logs path to any directory on the OS level which the user www-data can write without restrictions from the backend which leads to writing a malicious Twig template that the application will render. That leads to remote command execution under the user www-data. • https://www.exploit-db.com/exploits/51263 https://github.com/mhaskar/CVE-2023-0315 http://packetstormsecurity.com/files/171108/Froxlor-2.0.6-Remote-Command-Execution.html http://packetstormsecurity.com/files/171729/Froxlor-2.0.3-Stable-Remote-Code-Execution.html https://github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065a https://huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0316 – Path Traversal: '\..\filename' in froxlor/froxlor
https://notcve.org/view.php?id=CVE-2023-0316
Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0. path traversal: '\..\filename' en el repositorio de GitHub froxlor/froxlor anterior a 2.0.0. • https://github.com/froxlor/froxlor/commit/983d9294603925018225d672795bd8b4a526f41e https://huntr.dev/bounties/c190e42a-4806-47aa-aa1e-ff5d6407e244 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4868 – Improper Authorization in froxlor/froxlor
https://notcve.org/view.php?id=CVE-2022-4868
Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. Autorización incorrecta en el repositorio de GitHub froxlor/froxlor anterior a 2.0.0-beta1. • https://github.com/froxlor/froxlor/commit/0527f22dc942483430f8449e25a096bb8d683a5d https://huntr.dev/bounties/3a8f36ac-5eda-41e7-a9c4-e0f3d63e6e3b • CWE-285: Improper Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4867 – Cross-Site Request Forgery (CSRF) in froxlor/froxlor
https://notcve.org/view.php?id=CVE-2022-4867
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. Cross-Site Request Forgery (CSRF) en el repositorio de GitHub froxlor/froxlor anterior a 2.0.0-beta1. • https://github.com/froxlor/froxlor/commit/f7f356e896173558248c43f4f68612f78e73a65d https://huntr.dev/bounties/c91364dd-9ead-4bf3-96e6-663a017e08fa • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4864 – Argument Injection in froxlor/froxlor
https://notcve.org/view.php?id=CVE-2022-4864
Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. Inyección de argumentos en el repositorio de GitHub froxlor/froxlor anterior a 2.0.0-beta1. • https://github.com/froxlor/froxlor/commit/f2485ecd9aab8da544b5e12891d82ae6fcff5fc7 https://huntr.dev/bounties/b7140709-8f84-4f19-9463-78669fa2175b • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •