Froxlor’s DataDump.add() method previously built the export destination path from user input without applying the fixed homedir validation, allowing a symlink to point to any system directory. When the ExportCron task, which runs under the root account, expands that path it resolves the symlink and executes a recursive chown. An attacker who can invoke the export function—such as a local or remote user with access to the Froxlor web interface—can therefore cause root to change the ownership of any directory they can reference with a symlink, effectively taking administrative control over arbitrary parts of the file system. The flaw resides in the CWE‑59 category of Relative Path Traversal/Symbolic Link Vulnerability. The vulnerability is exploitable only when ExportCron runs with root privileges and the attacker can provide input to DataDump.add. The exploit is straightforward: craft a symlink from the export path to a target directory and trigger the cron job. Once the chown runs, the attacker gains ownership of the target, enabling further compromise such as altering configurations, installing malware, or deleting files. CVSS score 7.5 classifies the issue as high severity, and the EPSS score of < 1% indicates a low but existing probability of real‑world exploitation. The flaw is not listed in CISA’s KEV catalog, but the ability to hijack ownership of arbitrary directories represents a significant privilege escalation that can compromise system integrity and availability. Affected installations are those running Froxlor older than 2.3.6 where ExportCron is configured to execute under the root user. Version 2.3.6 introduces the missing symlink validation and should be installed as soon as possible to mitigate the risk.

The flaw affects installations of the Froxlor open‑source server administration software published before version 2.3.6. Users who have configured the built‑in ExportCron task to run as the root account are at risk, as the task will invoke DataDump.add on customer‑supplied exports and subsequently unwrap any symlink target with root privileges. The vulnerable code path is part of the DataDump module inside Froxlor. Applying the 2.3.6 release, which adds the missing fixed homedir check, eliminates the flaw. For older releases, the problem remains until patched.

The CVSS score of 7.5 indicates that the vulnerability offers significant impact, particularly when exploited to alter file ownership. EPSS < 1% suggests exploitation is unlikely but not impossible, especially in environments where customers can submit data to exporting functions. Attackers would first need to create or control a symlink that points to a target directory they wish to own; then they would trigger the cron job by invoking DataDump.add, which path‑resolves the symlink under root and runs chown‑R. Because the flaw is tied to a root‑executed cron job, the attack vector requires either legitimate user access with export privileges or a system misconfiguration that allows arbitrary code injection into the cron context. Even though the vulnerability is not currently listed in CISA KEV, the ability to seize ownership over arbitrary directories presents a serious privilege escalation and could break the isolation guarantees of the server. In sum, the risk is high in environments that run the export cron under root and expose export functions to customer input.