CVE-2020-10235 — Froxlor arbitrary code execution via the database configuration options

Description

An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.

How to fix CVE-2020-10235

To remediate CVE-2020-10235, upgrade the affected package to a fixed version below.

—upgrade to 0.10.14 or later

Is CVE-2020-10235 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.10.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-10235
PATCHgithub.com/Froxlor/Froxlor
WEBbugzilla.suse.com/show_bug.cgi?id=1165721
WEBgithub.com/Froxlor/Froxlor/commit/62ce21c9ec393f9962515c88f0c489ace42bf656