The flaw in the Froxlor web‑interface occurs in the Domains.add() routine where the adminid parameter is accepted from user input without validation if the calling reseller does not have the customers_see_all permission. A reseller can therefore assign newly created domains to any other administrator, causing the domain counter of that unrelated admin to increment while the reseller’s own quota remains unchanged. This allows a reseller to exhaust another administrator’s domain quota, potentially locking that user out of adding new domains. The issue is a classic example of improper authorization characterized by CWE‑863.

The vulnerability affects the Froxlor server administration software, specifically all releases prior to version 2.3.6. Users running Froxlor 2.3.5 or earlier, regardless of operating system, are susceptible because the flaw resides in the core domain‑management code. Version 2.3.6 and later contain the necessary validation to prevent the abuse.

The CVSS score of 5.4 indicates a medium severity. The EPSS score of less than 1% suggests a low likelihood of public exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker must possess reseller‑level access to the management interface, but otherwise needs no special conditions; the attack can be performed by simply submitting a domain‑creation request with a crafted adminid. The impact is limited to evading the intended resource quotas rather than achieving code execution or broader system compromise.