Bounties
Community
Info
froxlor / froxlor
Project repository
The server administration software for your needs - The official Froxlor development Git repository
Submit a report
FIRST INTERACTION
WITHIN
1 DAY
REVIEW
WITHIN
11 DAYS
FIX
WITHIN
23 DAYS
Absence of rate limit on "API-key" creation on admin login
Oct 15th 2023
th3l0newolf
•
not applicable
Privilege escalation via symbolic link
Nov 10th 2023
sro0
•
Critical
•
$60
Critical
•
$60
•
CVE-2023-6069
CVE-2023-6069
Stored HTML injection
Sep 29th 2023
huu-cuong
•
duplicate
Medium
SQL Database Error could lead to SQL Injection with internal Path Disclosure
Oct 2nd 2023
huu-cuong
•
not applicable
Stored HTML injection
Sep 10th 2023
huu-cuong
•
duplicate
Medium
Stored HTML injection
Sep 8th 2023
amal03-bit
•
Medium
Medium
•
CVE-2023-4829
CVE-2023-4829
HTML injection Leads to Open redirection
Oct 13th 2023
amal03-bit
•
Medium
Medium
•
CVE-2023-5564
CVE-2023-5564
Business Logic Error - letting the Name Field blank
Aug 11th 2023
ahmedvienna
•
Low
Low
•
CVE-2023-4304
CVE-2023-4304
Uncaught Error while deleteing the default Backup File
Aug 31st 2023
ahmedvienna
•
not applicable
SQL Errors with multiple internal Path Disclosures while deleting a Backup File
Aug 31st 2023
ahmedvienna
•
not applicable
stored HTML Injection in the Backup Section
Aug 31st 2023
ahmedvienna
•
not applicable
Remote Command Execution by Improper Escaping of Output
Jul 14th 2023
mat4mee
•
Critical
•
$60
Critical
•
$60
•
CVE-2023-3668
CVE-2023-3668
Command Injection in "php-fpm restart command"
Jun 20th 2023
mat4mee
•
duplicate
High
Insufficient Session Expiration in https://demo.froxlor.org/
Nov 18th 2023
kaal-kali
•
self closed
PHPSESSID is not renewed after user login
Jun 11th 2023
uonghoangminhchau
•
duplicate
Low
File Path Traversal Vulnerability
Jun 9th 2023
1dayluo
•
Medium
Medium
•
CVE-2023-3172
CVE-2023-3172
Using incorrect regex to filter OS command leads to RCE
May 5th 2023
nhiephon
•
duplicate
Critical
Froxlor Brute Force on Current Password Field Lead to Account Takeover Due to La...
Apr 21st 2023
phyowathonewin
•
duplicate
High
Authentication Bypass and Weakness security
Apr 25th 2023
panveanyy
•
informative
High
2FA Bypass by Brute Force
Jun 9th 2023
sro0
•
Critical
•
$60
Critical
•
$60
•
CVE-2023-3173
CVE-2023-3173
.Git file exposed.
Mar 17th 2023
lambardarr
•
informative
High
Remote Code Execution Vulnerability Through Unrestrict File Write
Apr 14th 2023
renhaot
•
Critical
•
$60
Critical
•
$60
•
CVE-2023-2034
CVE-2023-2034
Authentication Bypass for users with MD5 password hash
Mar 10th 2023
sro0
•
Critical
•
$60
Critical
•
$60
•
CVE-2023-1307
CVE-2023-1307
No Rate Limit On Reset Password
May 12th 2023
earth2sky
•
Medium
Medium
•
CVE-2023-2666
CVE-2023-2666
Arbitrary File Deletion
Feb 7th 2023
blakduk
•
duplicate
High
Remote Code Execution in "Import Settings" feature
Feb 17th 2023
blakduk
•
Critical
•
$60
Critical
•
$60
•
CVE-2023-0877
CVE-2023-0877
html injection
Feb 7th 2023
nayefhmoodh
•
duplicate
Medium
Session Fixation in https://demo.froxlor.org/
Jun 11th 2023
dhina016
•
Medium
Medium
•
CVE-2023-3192
CVE-2023-3192
CSRF in all endpoints of /lib/ajax.php by Changing the request method to GET
Feb 25th 2023
dhina016
•
Medium
Medium
•
CVE-2023-1033
CVE-2023-1033
strong Password Policy Bypass through a Space
Jan 28th 2023
ahmedvienna
•
self closed
weak Password Policy Directory Protection
Jan 29th 2023
ahmedvienna
•
Medium
Medium
•
CVE-2023-0564
CVE-2023-0564
Language Dropdown Menu Manipulation
Jan 29th 2023
ahmedvienna
•
Medium
Medium
•
CVE-2023-0565
CVE-2023-0565
SQL Database Error could lead to SQL Injection with internal Path Disclosure
Jan 29th 2023
ahmedvienna
•
Medium
Medium
•
CVE-2023-0572
CVE-2023-0572
Dropdown Menu Manipulation leads to stored HTML Injection
Jan 29th 2023
ahmedvienna
•
Medium
Medium
•
CVE-2023-0566
CVE-2023-0566
Stored HTML Injection
Jan 28th 2023
ahmedvienna
•
informative
Medium
Privilege Escalation from customer to root
Feb 4th 2023
sro0
•
Critical
•
$60
Critical
•
$60
•
CVE-2023-0671
CVE-2023-0671
Froxlor 2.0.6 Remote Command Execution via Arbitrary File Write and Server Side...
Jan 16th 2023
mhaskar
•
High
•
$30
High
•
$30
•
CVE-2023-0315
CVE-2023-0315
Get based CSRF on Reset OP Cache functionality
Dec 31st 2022
leorac
•
Low
Low
•
CVE-2022-4867
CVE-2022-4867
Reseller role allowed to access to admin functionalities
Dec 31st 2022
leorac
•
Medium
Medium
•
CVE-2022-4868
CVE-2022-4868
Authenticated HTMLi via theme parameter on /lib/ajax.php
Dec 30th 2022
leorac
•
Medium
Medium
•
CVE-2022-4864
CVE-2022-4864
Client side restriction bypass on upload image file in settings
Dec 30th 2022
leorac
•
informative
Medium
Html injection on admin_settings.php through part parameter
Jan 27th 2023
leorac
•
informative
Medium
Local File Read through Improper Filename Validation
Jan 16th 2023
kos0ng
•
Medium
Medium
•
CVE-2023-0316
CVE-2023-0316
Authenticated Unrestricted Import Settings Lead to RCE
Dec 30th 2022
kos0ng
•
not applicable
CSRF to change admin users password
Jan 28th 2023
uonghoangminhchau
•
informative
Medium
Improper validation in using of services commands
Dec 27th 2022
benasin
•
informative
High
Cron execution command field allows attackers with admin privilege to execute OS...
Dec 21st 2022
benasin
•
High
•
$30
High
•
$30
Unintended API key generation
Dec 3rd 2022
7h3h4ckv157
•
Medium
Medium
froxlor/froxlor <= 0.10.38.2 - Authenticated Unrestricted File Upload to RCE
Dec 3rd 2022
haiclover
•
High
High
Username and email enumeration via Forgot password feature
Dec 3rd 2022
xanhacks
•
Medium
Medium
CSRF on SSL certificates deletion
Dec 3rd 2022
xanhacks
•
High
High
Html Injection Reflected in Login Page
Nov 5th 2022
mike993
•
Medium
Medium
•
CVE-2022-3869
CVE-2022-3869
Html Injection Stored in edit customers
Nov 4th 2022
sk4rl1ght
•
High
High
•
CVE-2022-3721
CVE-2022-3721
CSRF on deleting an API key
Aug 27th 2022
victoni
•
Medium
Medium
•
CVE-2022-3017
CVE-2022-3017
Use of a Broken or Risky Cryptographic Algorithm
Oct 2nd 2021
michaellrowley
•
High
High
External Control of File Name or Path
Aug 25th 2021
melbinkm
•
High
•
$25
High
•
$25
Sensitive Cookie Without 'HttpOnly' Flag
Aug 25th 2021
melbinkm
•
Medium
•
$25
Medium
•
$25
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Aug 25th 2021
melbinkm
•
Medium
•
$25
Medium
•
$25
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0