EduSoho CVE-2023-7335
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote unauthenticated traversal with no user interaction (AV:N/AC:L/PR:N/UI:N); confidentiality-only file disclosure (C:H, I:N/A:N) with no scope change.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC).
AnalysisAI
Arbitrary file read in EduSoho versions prior to 22.4.7 lets a remote, unauthenticated attacker retrieve any file on the server through the classroom-course-statistics export feature. By injecting path-traversal sequences into the fileNames[] parameter, an attacker can pull sensitive files such as config/parameters.yml, exposing database credentials and application secrets. Publicly available exploit code exists, and the Shadowserver Foundation reported observing exploitation evidence on 2026-01-19, though the flaw is not listed as CISA KEV in the provided data; EPSS remains low at 0.13%.
Technical ContextAI
EduSoho is a PHP/Symfony-based online education (e-learning) platform, evidenced by the targeted config/parameters.yml file, which is the standard Symfony application secrets/parameters file holding database DSNs, mailer credentials, and app secrets. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / path traversal): the classroom-course-statistics export handler builds a filesystem path from the attacker-controlled fileNames[] array parameter without canonicalizing or constraining it to an intended base directory, so '../' sequences escape the export directory and resolve to arbitrary absolute paths. Because the export endpoint serves the referenced file back to the requester, the traversal converts directly into an information-disclosure primitive.
Affected ProductsAI
EduSoho e-learning platform, all versions prior to 22.4.7, are affected; the issue is fixed in release v22.4.7 (https://github.com/edusoho/edusoho/releases/tag/v22.4.7). No CPE strings were provided in the source data, so the exact affected-version enumeration is derived from the description and the vendor's release tag rather than an NVD CPE match. The vulnerability is also tracked as CNVD-2023-03903 (https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903), and a vendor advisory is available from VulnCheck (https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics).
RemediationAI
Vendor-released patch: upgrade to EduSoho v22.4.7 or later, whose release notes cite fixes for multiple security vulnerabilities (https://github.com/edusoho/edusoho/releases/tag/v22.4.7). If immediate upgrade is not possible, restrict or block access to the classroom-course-statistics export endpoint at a reverse proxy or WAF and filter requests whose fileNames[] parameter contains traversal sequences (../, encoded %2e%2e, or absolute paths) - this may break legitimate statistics export until patched. Because config/parameters.yml credentials may already be exposed, rotate the database credentials, application secret, and any mailer or third-party keys stored there, and review server logs for prior exploitation of the fileNames[] parameter. Additional references: CNVD advisory (https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903) and VulnCheck advisory (https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics).
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today