An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.
https://github.com/Froxlor/Froxlor/compare/0.10.13...0.10.14
https://github.com/Froxlor/Froxlor/commit/7e361274c5bf687b6a42dd1871f6d75506c5d207
https://github.com/Froxlor/Froxlor/commit/62ce21c9ec393f9962515c88f0c489ace42bf656