CVE-2021-42325: 
PHP vulnerability analysis and mitigation

CVE-2021-42325 is a SQL injection vulnerability affecting Froxlor through version 0.10.29.1. The vulnerability exists in the Database/Manager/DbManagerMySQL.php file, where an authenticated user can perform SQL injection via a custom DB name. The vulnerability was discovered and disclosed in October 2021 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue stems from improper neutralization of special elements in SQL commands (CWE-89) in the Database/Manager/DbManagerMySQL.php file when handling custom database names. The vulnerability was patched by implementing prepared statements for database creation operations (GitHub Patch).

The vulnerability allows an authenticated customer to escalate privileges by creating a Froxlor administrator account, which can then be used to achieve Remote Code Execution (RCE) as root on the target machine. This gives attackers complete control over the affected system (Exploit DB).

The vulnerability has been patched in Froxlor version 0.10.30. The fix implements prepared statements for database creation operations to prevent SQL injection. Users should upgrade to version 0.10.30 or later to protect against this vulnerability (GitHub Patch).