CVE-2023-7335
📋 TL;DR
EduSoho versions before 22.4.7 contain an unauthenticated path traversal vulnerability in the classroom-course-statistics export feature. Attackers can read arbitrary files from the server filesystem, potentially exposing sensitive configuration files containing secrets and database credentials. All EduSoho deployments using vulnerable versions are affected.
💻 Affected Systems
- EduSoho
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via credential theft from configuration files, leading to database access, privilege escalation, and lateral movement.
Likely Case
Exposure of sensitive configuration files (database credentials, API keys, secrets) leading to data breaches and unauthorized access.
If Mitigated
Limited information disclosure if proper file permissions and network segmentation are in place.
🎯 Exploit Status
Shadowserver Foundation observed exploitation in the wild on 2026-01-19. Multiple public proof-of-concept exploits available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.4.7
Vendor Advisory: https://github.com/edusoho/edusoho/releases/tag/v22.4.7
Restart Required: Yes
Instructions:
1. Backup your current installation and database. 2. Download EduSoho version 22.4.7 or later from official repository. 3. Replace vulnerable files with patched version. 4. Restart web server and application services. 5. Verify functionality.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock path traversal sequences in fileNames[] parameter
Add WAF rule to block requests containing '../' or '..\' in fileNames[] parameter
Access Control Restriction
allRestrict access to classroom-course-statistics endpoint
Add IP-based restriction or authentication requirement to affected endpoint
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EduSoho server from sensitive systems
- Rotate all database credentials, API keys, and secrets stored in configuration files
🔍 How to Verify
Check if Vulnerable:
Test if classroom-course-statistics endpoint accepts path traversal sequences in fileNames[] parameterCheck Version:
Check EduSoho version in admin panel or application configurationVerify Fix Applied:
Verify that path traversal attempts are rejected and version shows 22.4.7 or higher📡 Detection & Monitoring
Log Indicators:
- HTTP requests to classroom-course-statistics with fileNames[] containing '../' or '..\'
- Unusual file access patterns from web application
Network Indicators:
- Multiple requests to config/parameters.yml or other sensitive files
SIEM Query:
web.url:*classroom-course-statistics* AND (web.param.fileNames:*../* OR web.param.fileNames:*..\*)🔗 References
- https://blog.csdn.net/qq_41904294/article/details/135007351
- https://cn-sec.com/archives/2451582.html
- https://github.com/edusoho/edusoho/releases/tag/v22.4.7
- https://github.com/gobysec/GobyVuls/blob/master/CNVD-2023-03903.md
- https://github.com/zeroChen00/exp-poc/blob/main/EduSoho%E6%95%99%E5%9F%B9%E7%B3%BB%E7%BB%9Fclassropm-course-statistics%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
- https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903
- https://www.edusoho.com/
- https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics
