5.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29773

GHSA ID

GHSA-7j6w-p859-464f

EPSS Score

0.02934%

CWE

CWE-287

Published

3/11/2025

Updated

3/13/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-29773

CVE-2025-29773:
Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover

Summary

the vulnerability is that users (such as resellers or customers) are able to create accounts with the same email address as an existing account (e.g., if the admin has admin@froxlor.com, others can also create an account using the same email). This creates potential issues with account identification and security.

Impact

Local/Authenticated: This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. Email-based: The attack vector is email-based, as the system does not prevent multiple accounts from registering the same email address, leading to possible conflicts and security issues.

(GitHub Advisory)

5.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-29773

GHSA ID

GHSA-7j6w-p859-464f

EPSS Score

0.02934%

CWE

CWE-287

Published

3/11/2025

Updated

3/13/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
froxlor/froxlor	composer	<= 2.2.5	2.2.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing email uniqueness checks across admin and customer accounts. The patch adds SQL queries in Admins.php and Customers.php to validate() email uniqueness against the panel_admins table. The pre-patch versions of these functions did not perform these checks, allowing email reuse. The high confidence comes from the direct correlation between the added validation logic in the commit diff and the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry t** vuln*r**ility is t**t us*rs (su** *s r*s*ll*rs or *ustom*rs) *r* **l* to *r**t* ***ounts wit* t** s*m* *m*il ***r*ss *s *n *xistin* ***ount (*.*., i* t** **min **s [**min@*roxlor.*om](m*ilto:**min@*roxlor.*om), ot**rs **n *lso *r**t*

Reasoning

T** vuln*r**ility st*ms *rom missin* *m*il uniqu*n*ss ****ks **ross **min *n* *ustom*r ***ounts. T** p*t** ***s SQL qu*ri*s in `**mins.p*p` *n* `*ustom*rs.p*p` to `v*li**t*()` *m*il uniqu*n*ss ***inst t** `p*n*l_**mins` t**l*. T** pr*-p*t** v*rsions

5.8

Basic Information

Concerned about an active attack path?

CVE-2025-29773: Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover

Summary

Impact

5.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-29773:
Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover

Vulnerability Intelligence
Miggo AI