CVE-2023-50256
HIGH7.5EPSS 0.06%Froxlor username/surname AND company field Bypass
描述
Dear Sirs and Madams, I would like to report a business logic error vulnerability that I discovered during my recent penetration test on Froxlor. Specifically, I identified an issue where it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements established by the system. The surname, family name AND company name all of them can be left blank. I believe addressing this vulnerability is crucial to ensure the security and integrity of the Froxlor platform. Thank you for your attention to this matter. This action served as a means to bypass the mandatory field requirements. Lets see (please have a look at the Video -> attachment). ---------------- as you can see i was able to let the username and second name blank. https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4 Lets see again. Only the company name is set. Thank you for your time  
受影響套件(1)
- Packagist/froxlor/froxlorfrom 0, < 2.1.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-50256
- PATCHhttps://github.com/Froxlor/Froxlor
- WEBhttps://github.com/Froxlor/Froxlor/commit/4b1846883d4828962add91bd844596d89a9c7cac
- WEBhttps://github.com/Froxlor/Froxlor/security/advisories/GHSA-625g-fm5w-w7w4
- WEBhttps://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4