Miggo Logo

CVE-2023-0877: Code Injection in froxlor/froxlor

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.3262%
Published
2/17/2023
Updated
2/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
froxlor/froxlorcomposer< 2.0.112.0.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the settings import functionality. The pre-patch version in SImExporter.php lacked the Form::processForm() validation layer, which the patch added to ensure the same security checks as regular admin settings updates. The original code directly wrote base64-decoded image data to files without proper mime-type/extension validation, and applied settings without input filtering, creating an injection vector. The commit message explicitly states the fix was to 'apply the same validations' via Form::processForm(), confirming the vulnerability was in the import handling logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o** Inj**tion in *it*u* r*pository *roxlor/*roxlor prior to *.*.**.

Reasoning

T** vuln*r**ility st*mm** *rom t** s*ttin*s import *un*tion*lity. T** pr*-p*t** v*rsion in `SIm*xport*r.p*p` l**k** t** `*orm::pro**ss*orm()` v*li**tion l*y*r, w*i** t** p*t** ***** to *nsur* t** s*m* s**urity ****ks *s r**ul*r **min s*ttin*s up**t*s