Miggo Logo
Miggo Vulnerability Database
CVE-2023-0316

CVE-2023-0316:
Froxlor is vulnerable to path traversal

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0316
GHSA ID
GHSA-xp3g-2729-rxm3
EPSS Score
0.19424%
CWE
CWE-29
Published
1/16/2023
Updated
1/24/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
froxlor/froxlorcomposer< 2.0.02.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the file_put_contents call in SImExporter::import which used unsanitized user input from $_data to construct a file path. The original code extracted a filename from $_data without removing directory traversal sequences ('../'), enabling attackers to write files outside the intended directory. The patch explicitly adds str_replace('../', '', ...) to mitigate this, confirming the lack of path traversal sanitization was the root cause. The function's role in handling file imports and the direct use of untrusted input make it clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*t* Tr*v*rs*l: '\..\*il*n*m*' in *it*u* r*pository *roxlor/*roxlor prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom t** *il*_put_*ont*nts **ll in SIm*xport*r::import w*i** us** uns*nitiz** us*r input *rom $_**t* to *onstru*t * *il* p*t*. T** ori*in*l *o** *xtr**t** * *il*n*m* *rom $_**t* wit*out r*movin* *ir**tory tr*v*rs*l s*qu*n**s (