CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-mr9h-45p9-fg8h: Froxlor: Authenticated customers can read other customers' allowed sender aliases

mediumCVSS 4.3
Summary An authenticated customer can read other customers' allowed sender aliases from Froxlor's sender-delete confirmation page when mail.enable_allow_sender is enabled. customer_email.php loads allowed_sender by global auto-increment senderid alone, so a customer can enumerate foreign sender alias IDs and make Froxlor disclose those values in the confirmation dialog for the attacker's own mailbox. Details The vulnerable read lives in customer_email.php: $senderid = Request::any('senderid', 0); ... $sel_stmt = Database::prepare("SELECT allowed_sender FROM " . TABLE_MAIL_SENDER_ALIAS . " WHERE id = :sid"); $sender_data = Database::pexecute_first($sel_stmt, ['sid' => $senderid]); HTML::askYesNo('email_reallydelete_sender', $filename, [ 'id' => $id, 'senderid' => $senderid, 'page' => $page, 'domainid' => $email_domainid, 'action' => $action ], $idna_convert->decode($result['email_full']) . ' -> ' . $sender_data['allowed_sender']); The query does not scope senderid to the current customer or to the mailbox being edited. mail_sender_aliases.id is a global AUTO_INCREMENT primary key: CREATE TABLE mail_sender_aliases ( id int(11) NOT NULL auto_increment, email varchar(255) NOT NULL, allowed_sender varchar(255) NOT NULL, PRIMARY KEY (id) ) That makes sender alias IDs enumerable. A customer who owns any mailbox with sender-alias management enabled can request the delete-confirmation page for their own mailbox while supplying foreign senderid values. Froxlor then renders the foreign allowed_sender string in the confirmation prompt. Proof of Concept Verified against Froxlor 2.3.6 on a fresh test install with mail.enable_allow_sender=1. 1. Create two customers, victim and attacker. 2. Give each customer one mailbox. 3. Add a sender alias for the victim mailbox: info@victim.local -> leaked-sender@example.org 4. Log in as the attacker and request the

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 4.3
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-mr9h-45p9-fg8h

More from GitHub Security Advisories