GHSA-mr9h-45p9-fg8h: Froxlor: Authenticated customers can read other customers' allowed sender aliases
Froxlor versions prior to 2.3.7 have a vulnerability where an authenticated customer can read other customers' allowed sender aliases if mail.enable_allow_sender is enabled. The issue arises because the sender alias lookup by senderid is not scoped to the current customer or mailbox, allowing enumeration and disclosure of other customers' sender alias values on the delete confirmation page. This is an information disclosure vulnerability without direct impact on data integrity or availability.
AI Analysis
Technical Summary
In Froxlor versions before 2.3.7, when mail.enable_allow_sender is enabled, the customer_email.php script loads allowed sender aliases by a global auto-increment senderid without verifying ownership. Since mail_sender_aliases.id is a global primary key, an authenticated user can enumerate senderid values and cause Froxlor to display allowed sender aliases belonging to other customers on the delete confirmation page. Although the attacker cannot delete foreign aliases due to ownership checks during deletion, this flaw leads to cross-tenant information disclosure of allowed sender aliases.
Potential Impact
An authenticated customer can enumerate and read allowed sender aliases belonging to other customers, resulting in cross-tenant information disclosure. The vulnerability does not allow modification or deletion of other customers' sender aliases, nor does it affect system availability.
Mitigation Recommendations
Scope the sender alias lookup to the current customer and mailbox before rendering the confirmation page. The confirmation flow should use the same ownership verification as the EmailSender::delete() function. Since the affected versions are prior to 2.3.7, upgrading to version 2.3.7 or later (once available) is recommended. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
GHSA-mr9h-45p9-fg8h: Froxlor: Authenticated customers can read other customers' allowed sender aliases
Description
Froxlor versions prior to 2.3.7 have a vulnerability where an authenticated customer can read other customers' allowed sender aliases if mail.enable_allow_sender is enabled. The issue arises because the sender alias lookup by senderid is not scoped to the current customer or mailbox, allowing enumeration and disclosure of other customers' sender alias values on the delete confirmation page. This is an information disclosure vulnerability without direct impact on data integrity or availability.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In Froxlor versions before 2.3.7, when mail.enable_allow_sender is enabled, the customer_email.php script loads allowed sender aliases by a global auto-increment senderid without verifying ownership. Since mail_sender_aliases.id is a global primary key, an authenticated user can enumerate senderid values and cause Froxlor to display allowed sender aliases belonging to other customers on the delete confirmation page. Although the attacker cannot delete foreign aliases due to ownership checks during deletion, this flaw leads to cross-tenant information disclosure of allowed sender aliases.
Potential Impact
An authenticated customer can enumerate and read allowed sender aliases belonging to other customers, resulting in cross-tenant information disclosure. The vulnerability does not allow modification or deletion of other customers' sender aliases, nor does it affect system availability.
Mitigation Recommendations
Scope the sender alias lookup to the current customer and mailbox before rendering the confirmation page. The confirmation flow should use the same ownership verification as the EmailSender::delete() function. Since the affected versions are prior to 2.3.7, upgrading to version 2.3.7 or later (once available) is recommended. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-mr9h-45p9-fg8h
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a46ecb927e9c7971943cb3d
Added to database: 07/02/2026, 22:56:57 UTC
Last enriched: 07/02/2026, 23:13:18 UTC
Last updated: 07/03/2026, 03:31:15 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.