We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Business Logic Error - letting the Name Field blank in froxlor/froxlor

Valid

Reported on

Jul 13th 2023

Hello,

I was able to bypass the restriction for setting an admin username and letting the username via spaces blank.

Let's have a look.

As you can see the name is with a red star and therefore required to be filled.

Now we will add2 spaces and let the username blank and save.

As you can see all the names have been left blank.

Thank you for your time.

Impact

Hello,

I was able to bypass the restriction for setting an admin username and letting the username via spaces blank.

Let's have a look.

As you can see the name is with a red star and therefore required to be filled.

Now we will add2 spaces and let the username blank and save.

As you can see all the names have been left blank.

Thank you for your time.

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago
Michael Kaufmann validated this vulnerability 2 months ago

Should also be an issue on current stable 2.x

ahmedvienna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ahmedvienna
2 months ago

Researcher

Hello can you please assign it a CVE.

Thank you very much.

ahmedvienna
2 months ago

Researcher

Hello can you please assign it a CVE.

Thank you very much.

Michael Kaufmann marked this as fixed in 2.0.22,2.1.0 with commit ce9a5f 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 11th 2023
Michael Kaufmann published this vulnerability a month ago
to join this conversation