Miggo Logo
Miggo Vulnerability Database
CVE-2023-3192

CVE-2023-3192: Froxlor Session Fixation vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-3192
GHSA ID
GHSA-jr66-9ghf-6gp3
EPSS Score
0.29753%
CWE
CWE-384
Published
6/11/2023
Updated
11/5/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
froxlor/froxlorcomposer< 2.1.02.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing session_regenerate_id() calls in critical authentication/authorization flows. The GitHub patch shows these functions were modified to add session regeneration:

  1. finishLogin in index.php handles post-authentication session setup
  2. admin_customers.php handles user switching (su-action)
  3. admin_index.php handles session restoration from switched users Without session ID regeneration after these privilege-changing actions, attackers could fixate session identifiers before elevation. The direct addition of session_regenerate_id() in these locations in the patch confirms their vulnerable status.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* *roxlor/*roxlor prior to r*l**s* *.*.* *i* not r***n*r*t* s*ssion i*s *ppropri*t*ly w*i** m*y r*sult in s*ssion *ix*tion.

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion_r***n*r*t*_i*() **lls in *riti**l *ut**nti**tion/*ut*oriz*tion *lows. T** *it*u* p*t** s*ows t**s* *un*tions w*r* mo*i*i** to *** s*ssion r***n*r*tion: *. *inis*Lo*in in in**x.p*p **n*l*s post-*ut**nti**ti