CVE-2026-41235
NONEEPSS-Score
0%
Exploit-Wahrscheinlichkeit (30 Tage)
Beschreibung
Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue.
GitHub Advisories
Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement