CVE-2025-29773
Published: 13 March 2025
Description
Adversaries may create an account to maintain access to victim systems.
Security Summary
CVE-2025-29773 affects Froxlor, an open-source server administration software, in versions prior to 2.2.6. The vulnerability enables users to create accounts using the same email address as an existing account, such as an administrator's, due to a lack of duplicate email prevention. This flaw, classified under CWE-287 (Improper Authentication), leads to potential conflicts in account identification and broader security issues. It carries a CVSS v3.1 base score of 5.8 (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N).
Authenticated users with elevated privileges, such as resellers or customers, can exploit this vulnerability by registering new accounts with an email address already in use by another account. The email-based attack vector allows for possible account confusion or takeover scenarios, compromising confidentiality and integrity of affected accounts, though no direct impact on availability is noted.
The Froxlor GitHub security advisory (GHSA-7j6w-p859-464f) and associated commit (a43d53d54034805e3e404702a01312fa0c40b623) confirm that upgrading to version 2.2.6 resolves the issue by implementing proper email uniqueness checks during account creation. Administrators are advised to apply this patch promptly to mitigate risks from duplicate email exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability allows creation of accounts with duplicate emails by bypassing uniqueness checks, directly facilitating T1136 Create Account for account confusion or takeover scenarios.