Cyber Resilience

CVE-2023-0315

HighPublic PoCRCE

Published: 16 January 2023

Published
16 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8913 99.6th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0315 is a high-severity Command Injection (CWE-77) vulnerability in Froxlor Froxlor. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-0315 is a command injection vulnerability, tracked as CWE-77, that affects the Froxlor web hosting control panel in versions prior to 2.0.8. The flaw resides in the GitHub repository froxlor/froxlor and received a CVSS 3.1 score of 8.8, reflecting network-accessible exploitation with low attack complexity and low required privileges.

An authenticated attacker with low-privileged access can supply crafted input that results in arbitrary command execution on the underlying host. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability of the affected system, enabling outcomes such as remote code execution without user interaction.

Publicly available proof-of-concept exploits targeting versions 2.0.6 and 2.0.3 have been posted to Packet Storm, and a fix was merged in commit 090cfc26f2722ac3036cc7fd1861955bc36f065a. The associated huntr.dev report confirms the issue was disclosed through coordinated vulnerability handling, indicating that administrators should upgrade to 2.0.8 or later to eliminate the injection vector. The EPSS score has remained elevated near its peak of 0.9032.

EU & UK References

Vulnerability details

Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

froxlor
froxlor
≤ 2.0.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References