Froxlor Email Address Duplication Vulnerability Leading to Account Conflicts

A vulnerability in Froxlor versions prior to 2.2.6 allows users, including resellers and customers, to create accounts using the same email address as an existing account. This issue can lead to conflicts in account identification and potential security risks. The vulnerability arises because the system does not restrict multiple accounts from being registered with the same email, creating possible overlaps and security concerns. Authenticated users can exploit this vulnerability by creating accounts that share email addresses with other accounts, such as the admin's.

Impact

Exploitation of this vulnerability could result in account conflicts and security issues, as multiple accounts sharing the same email address can lead to confusion in account management and potential unauthorized access or actions.

Reproduction

To reproduce this vulnerability, an authenticated user (reseller or customer) can create a new account using an email address that is already associated with another account, such as an admin account. The system will not prevent this duplication, allowing the creation of conflicting accounts.

Remediation

Users can update to Froxlor version 2.2.6 or later, where this vulnerability has been fixed.