Skip to main content

EduSoho CVE-2023-7335

HIGH
Path Traversal (CWE-22)
2026-01-22 disclosure@vulncheck.com
8.7
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote unauthenticated traversal with no user interaction (AV:N/AC:L/PR:N/UI:N); confidentiality-only file disclosure (C:H, I:N/A:N) with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Source Code Evidence Fetched
Jul 15, 2026 - 02:43 vuln.today
Analysis Updated
Jul 15, 2026 - 02:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 15, 2026 - 02:38 vuln.today
cvss_changed
CVSS changed
Jul 15, 2026 - 02:38 NVD
8.7 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 26, 2026 - 15:04 vuln.today
Public exploit code
CVE Published
Jan 22, 2026 - 17:15 nvd
N/A

DescriptionCVE.org

EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC).

AnalysisAI

Arbitrary file read in EduSoho versions prior to 22.4.7 lets a remote, unauthenticated attacker retrieve any file on the server through the classroom-course-statistics export feature. By injecting path-traversal sequences into the fileNames[] parameter, an attacker can pull sensitive files such as config/parameters.yml, exposing database credentials and application secrets. Publicly available exploit code exists, and the Shadowserver Foundation reported observing exploitation evidence on 2026-01-19, though the flaw is not listed as CISA KEV in the provided data; EPSS remains low at 0.13%.

Technical ContextAI

EduSoho is a PHP/Symfony-based online education (e-learning) platform, evidenced by the targeted config/parameters.yml file, which is the standard Symfony application secrets/parameters file holding database DSNs, mailer credentials, and app secrets. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / path traversal): the classroom-course-statistics export handler builds a filesystem path from the attacker-controlled fileNames[] array parameter without canonicalizing or constraining it to an intended base directory, so '../' sequences escape the export directory and resolve to arbitrary absolute paths. Because the export endpoint serves the referenced file back to the requester, the traversal converts directly into an information-disclosure primitive.

Affected ProductsAI

EduSoho e-learning platform, all versions prior to 22.4.7, are affected; the issue is fixed in release v22.4.7 (https://github.com/edusoho/edusoho/releases/tag/v22.4.7). No CPE strings were provided in the source data, so the exact affected-version enumeration is derived from the description and the vendor's release tag rather than an NVD CPE match. The vulnerability is also tracked as CNVD-2023-03903 (https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903), and a vendor advisory is available from VulnCheck (https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics).

RemediationAI

Vendor-released patch: upgrade to EduSoho v22.4.7 or later, whose release notes cite fixes for multiple security vulnerabilities (https://github.com/edusoho/edusoho/releases/tag/v22.4.7). If immediate upgrade is not possible, restrict or block access to the classroom-course-statistics export endpoint at a reverse proxy or WAF and filter requests whose fileNames[] parameter contains traversal sequences (../, encoded %2e%2e, or absolute paths) - this may break legitimate statistics export until patched. Because config/parameters.yml credentials may already be exposed, rotate the database credentials, application secret, and any mailer or third-party keys stored there, and review server logs for prior exploitation of the fileNames[] parameter. Additional references: CNVD advisory (https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903) and VulnCheck advisory (https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics).

Share

CVE-2023-7335 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy