A critical injection vulnerability in Froxlor prior to version 2.3.6 allows an authenticated administrator to execute arbitrary PHP code by injecting malicious strings into configuration files.

This is a code injection vulnerability where the PhpHelper::parseArrayToString() function fails to escape single quotes, allowing an administrator to inject malicious PHP code into lib/userdata.inc.php.

By exploiting this flaw, an attacker with change_serversettings permission can gain persistent remote code execution, which executes on every page load. This grants the attacker ongoing control over the server environment, risking total data compromise and system integrity. The CVSS score of 9.1 underlines the severe risk to organizational infrastructure.

Immediate Action: Upgrade to Froxlor version 2.3.6 or later to ensure proper escaping of configuration strings.

Proactive Monitoring: Audit the lib/userdata.inc.php file for any unauthorized modifications or embedded PHP code blocks.

Compensating Controls: Limit access to administrative functions and strictly enforce the principle of least privilege for all administrative accounts.

Public Exploit Available: Unknown

This vulnerability allows for persistent code execution, making it a high-priority concern for any administrator. Immediate patching to version 2.3.6 is required to neutralize the injection vector and secure the server configuration.