Login Sign Up

CVE-2021-42325

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2021-42325 is a SQL injection vulnerability in Froxlor's database management component that allows attackers to execute arbitrary SQL commands via a specially crafted database name. This affects Froxlor installations up to version 0.10.29.1. System administrators using vulnerable Froxlor versions are at risk of database compromise.

💻 Affected Systems

Products:
  • Froxlor
Versions: through 0.10.29.1
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Affects installations where custom database names can be specified during setup or configuration.

📦 What is this software?

Froxlor by Froxlor

View all CVEs affecting Froxlor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Database information disclosure, data manipulation, and potential administrative access to the Froxlor control panel.

🟢

If Mitigated

Limited impact with proper input validation and database user privilege restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to database configuration functionality, typically requiring some level of authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10.30 and later

Vendor Advisory: https://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782

Restart Required: No

Instructions:

1. Backup your Froxlor installation and database. 2. Download Froxlor 0.10.30 or later from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Input Validation Enhancement

linux

Implement strict input validation for database name parameters

# Modify Database/Manager/DbManagerMySQL.php to sanitize database name inputs
# Add parameterized queries or proper escaping for database name variables

🧯 If You Can't Patch

  • Restrict database user privileges to minimum required permissions
  • Implement network segmentation to isolate Froxlor from critical systems

🔍 How to Verify

Check if Vulnerable:

Check if Froxlor version is 0.10.29.1 or earlier by examining the version file or admin panel.

Check Version:

grep -r 'FROXLOR_VERSION' /path/to/froxlor/install/ || cat /path/to/froxlor/install/lib/version.php

Verify Fix Applied:

Verify installation is running Froxlor 0.10.30 or later and check that Database/Manager/DbManagerMySQL.php contains the security fix from the commit.

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries in MySQL logs
  • Multiple failed login attempts to Froxlor admin panel
  • Unexpected database schema changes

Network Indicators:

  • Unusual SQL query patterns to database server
  • Multiple requests to database configuration endpoints

SIEM Query:

source="mysql.log" AND ("CREATE DATABASE" OR "DROP DATABASE" OR "INFORMATION_SCHEMA") AND NOT user="expected_user"

📊 Metadata

CVE ID: CVE-2021-42325
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42325, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)