Miggo Logo
Miggo Vulnerability Database
CVE-2023-2666

CVE-2023-2666: Froxlor vulnerable to Allocation of Resources Without Limits or Throttling

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-2666
GHSA ID
GHSA-4gm9-c9jq-g523
EPSS Score
0.22569%
CWE
CWE-770
Published
5/19/2023
Updated
11/10/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
froxlor/froxlorcomposer< 2.0.162.0.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing rate-limiting in HTTP request handling, specifically affecting the password reset page. The commit introduced RateLimiter::run() in critical entry points like general initialization (init.php), API endpoints (Api.php), and installation scripts. In vulnerable versions (<2.0.16), these entry points lacked the RateLimiter check, allowing unlimited requests. The functions above represent the core points where rate-limiting was enforced post-patch, implying their absence in prior versions directly caused the vulnerability. The password reset functionality itself is likely handled through these general HTTP/API pathways, making these functions the root of the issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*roxlor prior to *.*.** **s * p*sswor* r*s*t p*** wit* no r*t* limit.

Reasoning

T** vuln*r**ility st*ms *rom missin* r*t*-limitin* in *TTP r*qu*st **n*lin*, sp**i*i**lly *****tin* t** p*sswor* r*s*t p***. T** *ommit intro*u*** `R*t*Limit*r::run()` in *riti**l *ntry points lik* **n*r*l initi*liz*tion (`init.p*p`), *PI *n*points (