CVE-2020-29653: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

April 14, 2022 (updated April 22, 2022)

Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.

References

github.com/Froxlor/Froxlor/commit/6bf5eccc2477257b6c1760a3c3784ae7e0554ce0
github.com/Froxlor/Froxlor/security/advisories
github.com/advisories/GHSA-j739-gw6q-f4c7
nozero.io/en/cve-2020-29653-froxlor-html-injection-dangling-markup/
nvd.nist.gov/vuln/detail/CVE-2020-29653

Code Behaviors & Features

Detect and mitigate CVE-2020-29653 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →