Stored HTML injection in froxlor/froxlor


Reported on

Aug 3rd 2023


Stored HTML Injection: A Hidden Web Threat. Learn how attackers exploit input fields to inject malicious code into web applications, jeopardizing user data and site integrity. Discover crucial prevention measures to safeguard against this insidious vulnerability.

#Step to reproduce

  1. Login to froxlor as admin
  2. Under the resource go to Hosting plans  and Add new plan  
  3. In the plan name field  add the HTML payload and save it  
  4. once after saving the plan we can see that  the payload is working 

Proof of Concept


The impact of stored HTML injection can be severe and far-reaching, affecting both website owners and their users. Here are some of the key impacts:

Compromised User Data: Stored HTML injection allows attackers to access and manipulate sensitive user data stored in the application's database. This can include personal information, passwords, financial details, and other confidential data, leading to identity theft and fraud.

Malicious Code Execution: Attackers can inject harmful scripts into the web application, leading to the execution of arbitrary code on users' browsers. This can result in unauthorized actions, data theft, or the installation of malware on users' devices.

Loss of Trust: When users' data is compromised due to stored HTML injection, it erodes their trust in the website and the organization behind it. Loss of trust can lead to a decline in user engagement, decreased customer loyalty, and damage to the company's reputation.

Financial Loss: A successful attack can have financial repercussions, including costs associated with data breaches, legal liabilities, and the expenses of recovering and securing the compromised system.

Business Disruption: If a website is affected by stored HTML injection, it may become inaccessible or experience performance issues, leading to a disruption in services and potential loss of revenue.

Regulatory Compliance Issues: Depending on the nature of the compromised data, organizations may face legal consequences and regulatory penalties for failing to protect user information adequately.

Negative SEO Impact: A compromised website may be used to host malicious content, leading search engines to flag the site as unsafe, resulting in a negative impact on its search engine rankings.

Long-term Damage: The aftermath of a successful stored HTML injection attack can be long-lasting. Rebuilding user trust and restoring the website's reputation can be a time-consuming and challenging process

We are processing your report and will contact the froxlor team within 24 hours. 7 months ago
Amalmohan modified the report
7 months ago
We have contacted a member of the froxlor team and are waiting to hear back 7 months ago
froxlor/froxlor maintainer has acknowledged this report 7 months ago
froxlor/froxlor maintainer
7 months ago


I'm currently on vacation, will check this as soon as I'm back in two weeks

Amalmohan modified the report
7 months ago
Michael Kaufmann validated this vulnerability 7 months ago
amal03-bit has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.22 with commit 4711a4 7 months ago
The fix bounty has been dropped
This vulnerability has now been published 6 months ago
to join this conversation