CVE-2020-29653 — HTML Injection in Froxlor

Description

Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags. Note: Froxlor version 0.10.22 introduces AntiXSS cross-site scripting protection, but AntiXSS only provides partial protection for this particular issue.

How to fix CVE-2020-29653

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2020-29653 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.10.22

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-29653
PATCHgithub.com/Froxlor/Froxlor
WEBgithub.com/Froxlor/Froxlor/commit/6bf5eccc2477257b6c1760a3c3784ae7e0554ce0
WEBgithub.com/Froxlor/Froxlor/security/advisories