CVE-2023-7335
Arbitrary File Read in EduSoho Classroom Export Enables Data Exposure
Publication date: 2026-01-22
Last updated on: 2026-01-22
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hangzhou_kuozhi_network_technology | edusoho | to 22.4.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an arbitrary file read flaw in EduSoho versions prior to 22.4.7. It exists in the classroom-course-statistics export functionality, where an unauthenticated remote attacker can manipulate the fileNames[] parameter with crafted path traversal sequences to read arbitrary files on the server. This includes sensitive files like config/parameters.yml, which may contain secrets and database credentials. [3, 6]
How can this vulnerability impact me? :
The vulnerability allows attackers to read sensitive files on the server without authentication. This can lead to exposure of secrets, database credentials, and other critical configuration data, potentially enabling further attacks, unauthorized access, or data breaches. [3, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests to the classroom-course-statistics export endpoint, specifically manipulating the fileNames[] parameter with path traversal sequences to attempt reading sensitive files like config/parameters.yml. Tools such as Nuclei and Zoomeye have been used to verify the presence of this arbitrary file read vulnerability. A proof-of-concept HTTP GET request example is to request ../../../config/parameters.yml via the fileNames[] parameter to check if the server returns the file contents. [3, 6]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the EduSoho installation to version 22.4.7 or later, where this vulnerability has been fixed. Applying the vendor's patch promptly will prevent exploitation. Additionally, restricting access to the vulnerable endpoint and monitoring for suspicious requests targeting the fileNames[] parameter can help reduce risk until the update is applied. [1, 3, 6]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized remote attackers to read arbitrary files on the server, including sensitive configuration files containing secrets and database credentials. Exposure of such sensitive data can lead to data breaches and unauthorized access, which may result in non-compliance with data protection regulations such as GDPR and HIPAA that require protection of personal and sensitive information. Therefore, exploitation of this vulnerability could negatively impact compliance with these standards by risking confidentiality and security of protected data. [3, 6]