Login Sign Up

CVE-2025-28367

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

CVE-2025-28367 is a directory traversal vulnerability in mojoPortal's BetterImageGallery API Controller that allows attackers to read sensitive files like Web.Config. This exposes the MachineKey, which could lead to further compromise. All mojoPortal installations up to version 2.9.0.1 are affected.

💻 Affected Systems

Products:
  • mojoPortal
Versions: <=2.9.0.1
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All mojoPortal installations using BetterImageGallery are vulnerable by default.

📦 What is this software?

Mojoportal by Mojoportal

View all CVEs affecting Mojoportal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain MachineKey, forge authentication tokens, escalate privileges, and potentially achieve remote code execution or full system compromise.

🟠

Likely Case

Attackers read Web.Config to obtain MachineKey, then forge authentication tokens to gain unauthorized access to the application.

🟢

If Mitigated

With proper input validation and access controls, exploitation attempts are blocked and logged without data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.0.2

Vendor Advisory: https://github.com/i7MEDIA/mojoportal

Restart Required: Yes

Instructions:

1. Backup your mojoPortal installation. 2. Download version 2.9.0.2 or later from the official repository. 3. Replace the affected files. 4. Restart the application server.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Configure web server to block access to /BetterImageGallery/ImageHandler endpoint

# For Apache: RewriteRule ^BetterImageGallery/ImageHandler - [F]
# For IIS: Add request filter rule

Input validation filter

windows

Implement input validation to reject directory traversal sequences

# In web.config: <add inputFilter="blockTraversal" />

🧯 If You Can't Patch

  • Implement WAF rules to block directory traversal patterns in requests
  • Restrict network access to mojoPortal to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check if mojoPortal version is <=2.9.0.1 and BetterImageGallery is installed

Check Version:

Check web.config or admin panel for version information

Verify Fix Applied:

Verify version is >=2.9.0.2 and test directory traversal attempts are blocked

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../' or '..\' patterns to /BetterImageGallery/ImageHandler
  • Access attempts to Web.Config from unauthorized paths

Network Indicators:

  • Unusual GET/POST requests with traversal sequences
  • Requests for sensitive file paths

SIEM Query:

source="web_server" AND (uri="*BetterImageGallery/ImageHandler*" AND (uri="*../*" OR uri="*..\\*"))

📊 Metadata

CVE ID: CVE-2025-28367
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-284
EPSS Score: 10% exploit probability (92.9th percentile)
Published: April 21, 2025
Last Updated: August 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28367, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)