CVE-2023-50256

Description

Dear Sirs and Madams, I would like to report a business logic error vulnerability that I discovered during my recent penetration test on Froxlor. Specifically, I identified an issue where it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements established by the system. The surname, family name AND company name all of them can be left blank. I believe addressing this vulnerability is crucial to ensure the security and integrity of the Froxlor platform. Thank you for your attention to this matter. This action served as a means to bypass the mandatory field requirements. Lets see (please have a look at the Video -> attachment). ---------------- as you can see i was able to let the username and second name blank. https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4 Lets see again. Only the company name is set. Thank you for your time ![Froxlor 2](https://user-images.githubusercontent.com/80028768/289685700-73936e19-befa-4442-a258-7814f2ec4598.png) ![Froxlor 1](https://user-images.githubusercontent.com/80028768/289685710-a5785f49-d2b2-40d4-bf8f-a286df48dd36.png)

How to fix CVE-2023-50256

To remediate CVE-2023-50256, upgrade the affected package to a fixed version below.

—upgrade to 2.1.2 or later

Is CVE-2023-50256 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.1.2

Description

How to fix CVE-2023-50256

Is CVE-2023-50256 being exploited?

Affected packages (1)

CVSS scores

References (5)