GHSA-625g-fm5w-w7w4: Froxlor username/surname AND company field Bypass

Dear Sirs and Madams,

I would like to report a business logic error vulnerability that I discovered during my recent penetration test on Froxlor.

Specifically, I identified an issue where it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements established by the system.

The surname, family name AND company name all of them can be left blank.

I believe addressing this vulnerability is crucial to ensure the security and integrity of the Froxlor platform.

Thank you for your attention to this matter.

This action served as a means to bypass the mandatory field requirements.

Lets see (please have a look at the Video -> attachment).

as you can see i was able to let the username and second name blank.

https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4

Lets see again.

Only the company name is set.

Thank you for your time

References

• GHSA-625g-fm5w-w7w4
• https://nvd.nist.gov/vuln/detail/CVE-2023-50256
• Froxlor/Froxlor@4b18468
• https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4