CVE-2024-34070
📋 TL;DR
Froxlor versions before 2.1.9 have a stored blind XSS vulnerability in the failed login logging feature. Unauthenticated attackers can inject malicious scripts via the loginname parameter during login attempts, which execute when administrators view system logs. This allows attackers to perform actions as administrators, potentially gaining full control of the application.
💻 Affected Systems
- Froxlor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control by forcing administrator to create attacker-controlled admin account, leading to complete system compromise.
Likely Case
Attacker steals administrator session cookies or credentials, performs unauthorized administrative actions, or deploys backdoors.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution.
🎯 Exploit Status
Exploitation requires administrator to view system logs where malicious payload is stored.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.9
Vendor Advisory: https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53
Restart Required: No
Instructions:
1. Backup current Froxlor installation and database. 2. Download Froxlor 2.1.9 from official repository. 3. Replace existing files with new version. 4. Run update script if required.
🔧 Temporary Workarounds
Disable failed login logging
allTemporarily disable logging of failed login attempts to prevent payload storage.
Edit Froxlor configuration to disable failed login logging feature
Restrict administrator log access
allLimit which administrators can view system logs containing failed login attempts.
Configure role-based access controls to restrict log viewing
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in loginname parameter
- Apply input validation and output encoding at proxy/reverse proxy level
🔍 How to Verify
Check if Vulnerable:
Check Froxlor version in admin panel or via command: grep -i version /path/to/froxlor/version.phpCheck Version:
grep -i version /path/to/froxlor/version.phpVerify Fix Applied:
Confirm version is 2.1.9 or higher and test loginname parameter with XSS payloads that should be sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual loginname values containing script tags or JavaScript in failed login logs
- Multiple failed login attempts with similar patterns
Network Indicators:
- HTTP requests to login endpoint with script payloads in parameters
SIEM Query:
source="froxlor_logs" AND (loginname CONTAINS "<script>" OR loginname CONTAINS "javascript:")🔗 References
- https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6
- https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53
- https://github.com/froxlor/Froxlor/commit/a862307bce5cdfb1c208b835f3e8faddd23046e6
- https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53
