CVE-2024-34070

CVE-2024-34070 is a critical-severity cross-site scripting (XSS) vulnerability in froxlor/froxlor (composer), affecting versions < 2.1.9. It is fixed in 2.1.9.

Summary

Description:

A Stored Blind Cross-Site Scripting (XSS) vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. Stored Blind XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, an unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs.

The application protects users against XSS attacks by utilizing an xss sanitization library. But the checks of the library were bypassed by crafting an XSS Payload using data binding and interpolation of Vue.js

A working XSS payload was crafted which forces an administrator to add a new malicious attacker-controlled Administrator User. The Payload is:
payload.txt

By exploiting this vulnerability, an unauthenticated attacker can force the Administrator to perform actions without the administrator even noticing anything suspicious. In one scenario, I made an exploit that forced the administrator to add an attacker-controlled Administrator into the Froxlor Application, resulting in a compromise of the Froxlor Application.

Mitigation:

Implement thorough input validation and sanitization mechanisms on all user inputs. This will help prevent malicious scripts from being stored and executed. sanitize {{ and }} to prevent data binding and interpolation of Vue.js.
Sanitize malicious Javascript functions. Etc.

Steps to Reproduce:

Attacker Steps:

  1. Provide an invalid username in Login.
  2. Turn on intercept in Burp Suite.
  3. In the intercepted request, add the following XSS payload as the value of loginname parameter (Copy from below file):
    payload.txt
  4. Turn off the intercept.

Victim Steps:
5. Login as admin.
6. Go to System Logs, XSS payload will be executed and a popup will appear showing that the Application has been compromised.

Attacker Step:
7. Back at the Attacker's side, log in to the newly created attacker-controlled admin account having all the privileges. The credentials will be username: abcd & Password: abcd@@1234

Evidence:


Figure 1: Code of Logging Invalid login attempts


Figure 2: Code of saving Logs.


Figure 3: Attacker injecting XSS payload.


Figure 4: XSS payload Executed.


Figure 5: XSS payload Reflection.

Video POC

https://github.com/froxlor/Froxlor/assets/59286712/7ba7d3e7-9ee9-4e64-988c-33fd4ebbca27

Impact

The impact of this vulnerability is severe as it allows an attacker to compromise the Froxlor Application. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application.

Attackers can steal sensitive information such as login credentials, session tokens, and personally identifiable information (PII).

The vulnerability can lead to defacement of the Application.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2024-34070 has a CVSS score of 9.6 (Critical). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.1.9); upgrading removes the vulnerable code path.

Affected versions

froxlor/froxlor (< 2.1.9)

Security releases

froxlor/froxlor → 2.1.9 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade froxlor/froxlor to 2.1.9 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2024-34070? CVE-2024-34070 is a critical-severity cross-site scripting (XSS) vulnerability in froxlor/froxlor (composer), affecting versions < 2.1.9. It is fixed in 2.1.9. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2024-34070? CVE-2024-34070 has a CVSS score of 9.6 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of froxlor/froxlor are affected by CVE-2024-34070? froxlor/froxlor (composer) versions < 2.1.9 is affected.
  4. Is there a fix for CVE-2024-34070? Yes. CVE-2024-34070 is fixed in 2.1.9. Upgrade to this version or later.
  5. Is CVE-2024-34070 exploitable, and should I be worried? Whether CVE-2024-34070 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-34070 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-34070? Upgrade froxlor/froxlor to 2.1.9 or later.

Other vulnerabilities in froxlor/froxlor

CVE-2026-52793CVE-2026-41234CVE-2026-41237CVE-2026-41236CVE-2026-41235

Stop the waste.
Protect your environment with Kodem.