Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/GHSA-F9RX-7WF7-JR36.md

Created June 3, 2026 22:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/067712fc0b9798c132c204b55ab42a44 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/067712fc0b9798c132c204b55ab42a44 to your computer and use it in GitHub Desktop.
Download ZIP
GHSA-F9RX-7WF7-JR36: GHSA-F9RX-7WF7-JR36: Two-Factor Authentication Bypass and Passwordless API Key Creation in Froxlor - CVE Security Report
Raw
GHSA-F9RX-7WF7-JR36.md

GHSA-F9RX-7WF7-JR36: GHSA-F9RX-7WF7-JR36: Two-Factor Authentication Bypass and Passwordless API Key Creation in Froxlor

CVSS Score: 8.1 Published: 2026-06-03 Full Report: https://cvereports.com/reports/GHSA-F9RX-7WF7-JR36

Summary

An architectural flaw in the Froxlor server administration control panel allows attackers to completely bypass Two-Factor Authentication (2FA) by issuing commands directly through the API. The API authentication routine in 'FroxlorRPC::validateAuth' fails to check the account's 2FA status, enabling arbitrary execution of administrative and customer actions. Furthermore, in versions prior to 2.3.7, API keys could be created without validating the current user password, exposing users to persistent backdoor access via session hijacking or CSRF.

TL;DR

Froxlor's API endpoint completely omits Two-Factor Authentication status checks. Attackers possessing an API key can execute administrative commands on 2FA-protected accounts. Additionally, versions prior to 2.3.7 allowed passwordless generation of these keys.

Exploit Status: POC

Technical Details

  • CWE ID: CWE-287
  • Attack Vector: Network
  • CVSS v3.1: 8.1
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Froxlor Server Administration Control Panel
  • Froxlor: < 2.3.7 (Fixed in: 2.3.7)

Mitigation

  • Upgrade Froxlor to version 2.3.7 or higher to enforce password validation for API key creation.
  • Audit all active API keys in the database and revoke any legacy or unrecognized keys.
  • Restrict network access to /api.php using IP-based whitelisting within the web server configuration.
  • Enable query logging and monitor administrative API actions for anomalous source IP addresses.

Remediation Steps:

  1. Navigate to the Froxlor installation root and pull the latest release updates for version 2.3.7.
  2. Run database migrations and clear the application cache to apply the security fixes.
  3. Instruct all administrators and customers utilizing 2FA to regenerate their API key credentials.
  4. Review the web server configuration to ensure /api.php is only accessible from known IP ranges if programmatic access is restricted.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment