CVE-2020-28957
Description
Multiple cross-site scripting (XSS) vulnerabilities in the Customer Add module of Foxlor v0.10.16 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the name, firstname, or username input fields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Foxlor/Foxlordescription
- ghsa-coords
Patches
Vulnerability mechanics
Root cause
"Missing input validation and output encoding in the Customer Add module allows persistent injection of arbitrary script code via the name, firstname, and username fields."
Attack vector
An attacker with a low-privilege user account (reseller or customer) sends a POST request to the customer add module with malicious script code embedded in the `name`, `firstname`, or `username` parameters [ref_id=1]. The payload is stored server-side and later rendered unsanitized in the admin backend pages `admin_customers.php` and `customers.php`, where it executes in the browser of an administrator viewing the customer list or traffic module [ref_id=1]. This is a persistent (stored) XSS attack [CWE-79] that requires no user interaction beyond the admin viewing the affected page.
Affected code
The vulnerability resides in the Customer Add module of Froxlor v0.10.16. The `username`, `name`, and `firstname` input fields in the customer add/registration form are not sanitized before being stored and later rendered in `admin_customers.php` and `customers.php` [ref_id=1]. The injection point is the registration or customer add/edit module, and the payload executes when an admin views the traffic module in the admin backend [ref_id=1].
What the fix does
The advisory recommends three remediation steps: validate and escape the content of the vulnerable `username`, `name`, and `firstname` input fields; restrict the input fields to disallow special characters; and encode the output at the two execution points (`admin_customers.php` and `customers.php`) [ref_id=1]. No patch diff is included in the bundle, but the vendor was notified and a fix was reportedly developed by 2020-10-12 [ref_id=1]. The fix closes the vulnerability by ensuring user-supplied data is neutralized before being stored and before being rendered in the admin interface.
Preconditions
- authAttacker must have a low-privilege user account (reseller or customer) on the Froxlor panel
- inputAttacker must submit a POST request to the customer add/edit module with malicious payload in name, firstname, or username fields
- configAn administrator must view the affected admin backend page (admin_customers.php or customers.php) where the payload is rendered
Reproduction
1. Register or log in with a low-privilege user account on the Froxlor panel [ref_id=1]. 2. Open the profile account section or the customer add form. 3. Inject a test payload (e.g., `test%20>"div style=1`) into the `name`, `firstname`, or `username` input fields [ref_id=1]. 4. Save or submit the form via POST. 5. Wait until an admin or higher-privileged user opens the traffic stats page (`admin_traffic.php`), where the payload executes in the browser [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-cv24-vh45-4hjmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28957ghsaADVISORY
- www.vulnerability-lab.com/get_content.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.