CVE-2025-29773

Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attack vector is email-based, as the system does not prevent multiple accounts from registering the same email address, leading to possible conflicts and security issues. Version 2.2.6 fixes the issue.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.6 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/froxlor/Froxlor/commit/a43d53d54034805e3e404702a01312fa0c40b623	Patch
https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f	Exploit Vendor Advisory
https://mega.nz/file/h8oFHQrL#I4V02_BWee4CCx7OoBl_2Ufkd5Wc7fvs5aCatGApkoQ	Exploit
https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:froxlor:froxlor:2.2.5:*:*:*:*:*:*:*

History

03 Apr 2025, 18:25

Type	Values Removed	Values Added
First Time		Froxlor froxlor Froxlor
Summary		(es) Froxlor es un software de administración de servidores de código abierto. Una vulnerabilidad en versiones anteriores a la 2.2.6 permite a los usuarios (como revendedores o clientes) crear cuentas con la misma dirección de correo electrónico que una cuenta existente. Esto genera posibles problemas de identificación y seguridad de la cuenta. Esta vulnerabilidad puede ser explotada por usuarios autenticados (por ejemplo, revendedores o clientes) que pueden crear cuentas con la misma dirección de correo electrónico que ya ha sido utilizada por otra cuenta, como la del administrador. El vector de ataque se basa en el correo electrónico, ya que el sistema no impide que varias cuentas registren la misma dirección de correo electrónico, lo que puede generar conflictos y problemas de seguridad. La versión 2.2.6 corrige el problema.
CPE		cpe:2.3:a:froxlor:froxlor:2.2.5:::::::*
CWE		NVD-CWE-noinfo
References	~~() https://github.com/froxlor/Froxlor/commit/a43d53d54034805e3e404702a01312fa0c40b623 -~~	() https://github.com/froxlor/Froxlor/commit/a43d53d54034805e3e404702a01312fa0c40b623 - Patch
References	~~() https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f -~~	() https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f - Exploit, Vendor Advisory
References	~~() https://mega.nz/file/h8oFHQrL#I4V02_BWee4CCx7OoBl_2Ufkd5Wc7fvs5aCatGApkoQ -~~	() https://mega.nz/file/h8oFHQrL#I4V02_BWee4CCx7OoBl_2Ufkd5Wc7fvs5aCatGApkoQ - Exploit

13 Mar 2025, 19:15

Type	Values Removed	Values Added
References	~~() https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f -~~	() https://github.com/froxlor/Froxlor/security/advisories/GHSA-7j6w-p859-464f -

13 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-13 17:15

Updated : 2025-04-03 18:25

NVD link : CVE-2025-29773

Mitre link : CVE-2025-29773

CVE.ORG link : CVE-2025-29773

JSON object : View

Products Affected

froxlor

froxlor

CWE

CWE-287

Improper Authentication

NVD-CWE-noinfo

5.8 /10