Authenticated HTMLi via theme parameter on /lib/ajax.php in froxlor/froxlor


Reported on

Dec 30th 2022


The theme parameter is vulnerable to HTMLi on /lib/ajax.php endpoint

Proof of Concept

  • go to
  • Login with a user
  • Go to
  • You'll see the injected payload



In this way it is possible to perform a series of actions ranging from stealing credentials, taking the victim to an arbitrary site, or the possibility of inserting false messages to the victim.

We are processing your report and will contact the froxlor team within 24 hours. a year ago
Michael Kaufmann modified the Severity from High (7.1) to Medium (5.3) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Michael Kaufmann validated this vulnerability a year ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.0-beta1 with commit f2485e a year ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Michael Kaufmann published this vulnerability a year ago
to join this conversation