An authenticated path traversal vulnerability in Froxlor prior to version 2.3.6 allows attackers to execute arbitrary PHP code on the server with web service privileges.

This is a path traversal and arbitrary code execution vulnerability where an authenticated customer can inject a malicious path into the def_language parameter, which is then executed via require.

Successful exploitation allows an attacker to achieve remote code execution, granting them the ability to run arbitrary commands as the web server user. This could lead to a total server compromise, unauthorized access to sensitive customer data, and potential lateral movement within the network. The CVSS score of 9.9 highlights the extreme severity of this flaw.

Immediate Action: Upgrade all Froxlor instances to version 2.3.6 or later immediately.

Proactive Monitoring: Monitor server logs for suspicious file system access patterns or unauthorized calls to the require function.

Compensating Controls: Restrict API access to trusted IP addresses and utilize a WAF to block requests containing path traversal sequences (e.g., ../).

Public Exploit Available: Unknown

This vulnerability represents a critical risk to the integrity of the server environment. Administrators must verify their current version of Froxlor and apply the 2.3.6 update as a high-priority task to prevent full system compromise.