CVE-2023-7335 Overview
CVE-2023-7335 is an arbitrary file read vulnerability affecting EduSoho, an open-source online education platform. The vulnerability exists in the classroom-course-statistics export functionality, where a remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem. This includes sensitive application configuration files such as config/parameters.yml that may contain secrets and database credentials.
Critical Impact
Unauthenticated attackers can read sensitive server files including configuration files containing database credentials and application secrets, potentially leading to full system compromise.
Affected Products
- EduSoho versions prior to 22.4.7
Discovery Timeline
- 2026-01-19 - Exploitation evidence observed by the Shadowserver Foundation
- 2026-01-22 - CVE CVE-2023-7335 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2023-7335
Vulnerability Analysis
This Path Traversal vulnerability (CWE-22) allows remote, unauthenticated attackers to read arbitrary files from affected EduSoho installations. The vulnerability is network-accessible without requiring any user interaction or authentication, making it particularly dangerous for internet-facing deployments. The primary impact is a complete loss of confidentiality, as attackers can access any file readable by the web server process, while system integrity and availability remain unaffected.
The vulnerability was assigned CNVD-2023-03903 by the China National Vulnerability Database, and exploitation activity has been observed in the wild by the Shadowserver Foundation.
Root Cause
The root cause of CVE-2023-7335 is improper input validation in the classroom-course-statistics export functionality. The application fails to properly sanitize or validate the fileNames[] parameter before using it in file system operations. This allows attackers to inject directory traversal sequences (such as ../) to escape the intended directory and access files elsewhere on the filesystem.
The lack of proper path canonicalization and allowlist-based validation enables attackers to construct malicious file paths that reference sensitive system and application configuration files.
Attack Vector
The attack is executed through the classroom-course-statistics export endpoint. An attacker sends a crafted HTTP request containing path traversal sequences in the fileNames[] parameter. By using sequences like ../../../ combined with known file paths, attackers can traverse up from the application directory and access arbitrary files.
A typical exploitation scenario targets the config/parameters.yml file, which in Symfony-based applications (like EduSoho) often contains sensitive configuration data including:
- Database connection strings and credentials
- Application secret keys
- Third-party API keys and tokens
- Email server credentials
The vulnerability requires no authentication, meaning any attacker who can reach the vulnerable endpoint over the network can exploit it. For detailed technical information, refer to the VulnCheck Advisory and the CNVD-2023-03903 Details.
Detection Methods for CVE-2023-7335
Indicators of Compromise
- HTTP requests to classroom-course-statistics endpoints containing ../ sequences in the fileNames[] parameter
- Unusual access patterns targeting export functionality from external IP addresses
- Web server logs showing requests with URL-encoded path traversal sequences (%2e%2e%2f)
- Access attempts targeting known sensitive files like config/parameters.yml, /etc/passwd, or similar system files
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns in the fileNames[] parameter
- Configure intrusion detection systems (IDS) to alert on requests with multiple directory traversal sequences
- Monitor application logs for failed file access attempts outside expected directories
- Deploy SentinelOne Singularity to detect file access anomalies and unauthorized reading of sensitive configuration files
Monitoring Recommendations
- Enable detailed logging for the classroom-course-statistics export functionality
- Set up alerts for any access to config/parameters.yml or other sensitive configuration files from web processes
- Monitor for unusual outbound data transfers that could indicate exfiltration of stolen credentials
- Review access logs regularly for requests containing encoded or unencoded traversal sequences
How to Mitigate CVE-2023-7335
Immediate Actions Required
- Upgrade EduSoho to version 22.4.7 or later immediately
- If immediate patching is not possible, restrict network access to the affected endpoints
- Rotate all credentials stored in configuration files (database passwords, API keys, application secrets)
- Review server logs for evidence of prior exploitation attempts
Patch Information
EduSoho has released version 22.4.7 which addresses this vulnerability. The patched version is available from the official GitHub releases page. Organizations should prioritize upgrading to this version or later to remediate the vulnerability.
Workarounds
- Block external access to the classroom-course-statistics export endpoints at the web server or firewall level
- Implement a reverse proxy or WAF rule to filter requests containing path traversal sequences targeting the fileNames[] parameter
- Restrict the web server process permissions to limit accessible files using chroot or similar isolation techniques
- If the classroom course statistics export feature is not required, consider disabling the affected endpoint entirely
# Example nginx configuration to block path traversal attempts
location ~ /classroom.*course-statistics {
# Block requests with path traversal sequences
if ($args ~* "fileNames.*\.\.") {
return 403;
}
# Restrict access to internal network only
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
