Dear Sirs and Madams,
I would like to report a business logic error vulnerability that I discovered during my recent penetration test on Froxlor.
Specifically, I identified an issue where it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements established by the system.
The surname, family name AND company name all of them can be left blank.
I believe addressing this vulnerability is crucial to ensure the security and integrity of the Froxlor platform.
Thank you for your attention to this matter.
This action served as a means to bypass the mandatory field requirements.
Lets see (please have a look at the Video -> attachment).
as you can see i was able to let the username and second name blank.
https://user-images.githubusercontent.com/80028768/289675319-81ae8ebe-1308-4ee3-bedb-43cdc40da474.mp4
Lets see again.
Only the company name is set.
Thank you for your time
{ "nvd_published_at": "2024-01-03T23:15:08Z", "cwe_ids": [ "CWE-20" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-04T17:20:03Z" }