CVE-2020-28957: 
PHP vulnerability analysis and mitigation

Multiple cross-site scripting (XSS) vulnerabilities were discovered in the Customer Add module of Froxlor v0.10.16. The vulnerability was assigned CVE-2020-28957 and was disclosed on November 12, 2020. The affected software versions include Froxlor v0.10.16 running on Debian, Gentoo, and Ubuntu platforms (Vulnerability Lab).

The vulnerability exists in the Customer Add module where attackers can inject malicious script code through the name, firstname, or username input fields. The injection point is in the registration or customer add/edit module, with execution occurring in the admin backend through the admin_customers.php and customers.php files. The attack vector is persistent and uses the POST request method. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

Successful exploitation of the vulnerability can result in session hijacking, persistent phishing attacks, persistent external redirects to malicious sources, and persistent manipulation of affected application modules. The vulnerability requires a low-privileged user account and minimal user interaction to exploit (Vulnerability Lab).

The recommended fixes include validating and escaping the content of the vulnerable username, name, and firstname input fields, restricting special characters in these inputs, parsing and secure encoding the output locations, and encoding the results in the edit form (Vulnerability Lab).