Language Dropdown Menu Manipulation in froxlor/froxlor

Valid

Reported on

Jan 27th 2023

Hello

It is possible to manipulate the Language Dropdown Menu and change it to anything the attacker wants.

Process of the Vulnerability:

  1. Login
  2. Go Miscellaneous -> Email & file templates
  3. Add Template -> Change & Save and intercept the Request
  4. Change the Language to anything you want

Lets see :)

As you can see there are specific Languages nobody can select anything else.

Lets put HACKED inside it :)

The language is now HACKED lets see

AS you can see the language is now HACKED and it got accepted even if we have a Dropdown Menu with specific Languages to choose from

Thank you for watching :)

Best regards Ahmed Hassan

Impact

Hello

It is possible to manipulate the Language Dropdown Menu and change it to anything the attacker wants.

Process of the Vulnerability:

  1. Login
  2. Go Miscellaneous -> Email & file templates
  3. Add Template -> Change & Save and intercept the Request
  4. Change the Language to anything you want

Lets see :)

As you can see there are specific Languages nobody can select anything else.

Lets put HACKED inside it :)

The language is now HACKED lets see

AS you can see the language is now HACKED and it got accepted even if we have a Dropdown Menu with specific Languages to choose from

Thank you for watching :)

Best regards Ahmed Hassan

We are processing your report and will contact the froxlor team within 24 hours. 10 months ago
Michael
10 months ago

Maintainer

Why would you select "integrity: high" here? What files can be read/modified? The only impact i can see is that the template just not being used because no customer has the language "HACKED". Also, adding templates is an admin-privileged compoonent, which would set "required permissions" to high, leading to: https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ahmed Hassan
10 months ago

Researcher

Because the Dropdown Menu should not be able to manipulate and this should be fixed. Therefore the Intigrity is hit cause some "fixed" Data which should be not allowed to change was manipulated.

Michael
10 months ago

Maintainer

okay, fair enough. Do you agree on this requiring high privileges though?

Ahmed Hassan
10 months ago

Researcher

definitely yeah cause the template was generated by the admin account (the highest User or Administrator) and this is a high privilege account and the highest in the whole Application.

Michael Kaufmann modified the Severity from High (7.1) to Medium (5.5) 10 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Michael Kaufmann validated this vulnerability 10 months ago
Ahmed Hassan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.10 with commit 2feb80 10 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jan 29th 2023
Michael Kaufmann published this vulnerability 10 months ago
to join this conversation