CVE-2020-10235: 
PHP vulnerability analysis and mitigation

CVE-2020-10235 is a security vulnerability discovered in Froxlor versions before 0.10.14, disclosed on March 9, 2020. The vulnerability allowed remote attackers with access to the installation routine to execute arbitrary code via unescaped database configuration options passed to exec function, specifically in the _backupExistingDatabase function within install/lib/class.FroxlorInstall.php (NVD).

The vulnerability stems from improper escaping of user input in the database backup functionality during installation. Specifically, the _backupExistingDatabase function in class.FroxlorInstall.php passed unescaped database configuration parameters to the exec() function, allowing command injection. The vulnerability has a CVSS v3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

If exploited, this vulnerability allows attackers with access to the installation routine to execute arbitrary commands on the host system with the privileges of the web server user. This could lead to complete system compromise, data theft, or service disruption (SUSE Bugzilla).

The vulnerability was fixed in Froxlor version 0.10.14 through two commits that properly escape shell arguments. The fix includes adding escapeshellarg() function calls for database configuration parameters and enhancing security on userdata.inc.php creation (Froxlor Commit, Froxlor Commit 2).