Miggo Logo
Miggo Vulnerability Database
CVE-2023-1033

CVE-2023-1033: Froxlor Cross-Site Request Forgery vulnerability

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-1033
GHSA ID
GHSA-p7qq-rrvw-x55x
EPSS Score
0.50212%
CWE
CWE-352
Published
2/25/2023
Updated
3/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
froxlor/froxlorcomposer< 2.0.112.0.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from state-changing AJAX endpoints (updateTablelisting and resetTablelisting) using Request::any() to retrieve parameters. This allowed requests via any HTTP method (including GET), bypassing CSRF protections. The patch replaced Request::any() with Request::post(), enforcing POST method usage. Since POST requests require explicit user interaction (e.g., form submission) and are typically paired with CSRF tokens in frameworks, this change mitigates CSRF by preventing trivial exploitation via GET. The absence of CSRF token checks in the original code further exacerbated the issue, making these functions high-confidence candidates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*roxlor prior to v*rsion *.*.** **s * *ross-Sit* R*qu*st *or**ry vuln*r**ility.

Reasoning

T** vuln*r**ility st*ms *rom st*t*-***n*in* *J*X *n*points (up**t*T**l*listin* *n* r*s*tT**l*listin*) usin* `R*qu*st::*ny()` to r*tri*v* p*r*m*t*rs. T*is *llow** r*qu*sts vi* *ny *TTP m*t*o* (in*lu*in* **T), *yp*ssin* *SR* prot**tions. T** p*t** r*pl