cve-2023-50256
Vulnerability from cvelistv5
Published
2024-01-03 22:34
Modified
2024-08-02 22:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS score ?
0.04% (0.13515)
Summary
Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.
References
security-advisories@github.comhttps://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cacPatch
security-advisories@github.comhttps://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4Exploit, Vendor Advisory
security-advisories@github.comhttps://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4Exploit
af854a3a-2127-422b-91ae-364da2661108https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cacPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4Exploit
Impacted products
Vendor Product Version
Froxlor Froxlor Version: < 2.1.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T22:16:46.105Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4",
               },
               {
                  name: "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac",
               },
               {
                  name: "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Froxlor",
               vendor: "Froxlor",
               versions: [
                  {
                     status: "affected",
                     version: "< 2.1.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-20",
                     description: "CWE-20: Improper Input Validation",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-03T22:34:47.447Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4",
            },
            {
               name: "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac",
            },
            {
               name: "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4",
            },
         ],
         source: {
            advisory: "GHSA-625g-fm5w-w7w4",
            discovery: "UNKNOWN",
         },
         title: "Froxlor username/surname AND company field Bypass",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2023-50256",
      datePublished: "2024-01-03T22:34:47.447Z",
      dateReserved: "2023-12-05T20:42:59.378Z",
      dateUpdated: "2024-08-02T22:16:46.105Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2023-50256\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-01-03T23:15:08.517\",\"lastModified\":\"2024-11-21T08:36:45.770\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue.\\n\"},{\"lang\":\"es\",\"value\":\"Froxlor es un software de administración de servidores de código abierto. Antes de la versión 2.1.2, era posible enviar el formulario de registro con los campos esenciales, como el username y la password, dejados intencionalmente en blanco. Esta omisión inadvertida permitió omitir los requisitos de campo obligatorios (por ejemplo, apellido, nombre de la empresa) establecidos por el sistema. La versión 2.1.2 soluciona este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.2\",\"matchCriteriaId\":\"474D793F-0B1C-43DC-979C-29B4A48045FE\"}]}]}],\"references\":[{\"url\":\"https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]}]}}",
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.