CVE-2023-7335

2026-01-22 [email protected]

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 26, 2026 - 15:04 vuln.today
Public exploit code
CVE Published
Jan 22, 2026 - 17:15 nvd
N/A

Tags

Industrial Path Traversal

Description

EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC).

Analysis

EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality.

Technical Context

Classified as CWE-22 (Path Traversal). Affects EduSoho. EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (U

Affected Products

Product: EduSoho. Versions: up to 22.4.7.

Remediation

Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists.

Priority Score

20
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: +20

Share

CVE-2023-7335 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy