Froxlor Server Management Panel Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in Froxlor Server Management Panel version 0.10.16. This vulnerability allows attackers to inject malicious scripts into customer registration input fields, specifically through the username, name, and firstname parameters. The injected scripts are executed when administrators view customer traffic modules, potentially leading to session hijacking or other malicious actions.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the affected customer traffic module. This could lead to session hijacking or other malicious actions being performed on behalf of the user.

Reproduction

To reproduce this vulnerability, log in with a low-privilege user account and navigate to the customer registration or profile edit section. Inject a script payload into the username, name, or firstname fields and submit the form. Once the input is saved, the injected script will be executed when an administrator views the customer traffic module.

Remediation

Users are advised to update to the latest version of Froxlor, as this vulnerability has been patched. Instructions for updating can be found in the Froxlor documentation.