CVE-2025-28367

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-28367

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-28367.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-28367

Published

2025-04-21T16:15:54Z

Modified

2025-06-27T11:04:34.757047Z

Summary

[none]

Details

mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.

References

https://www.0xlanks.me/blog/cve-2025-28367-advisory/
https://github.com/i7MEDIA/mojoportal

Affected packages

Git / github.com/i7media/mojoportal

Affected ranges

Type: GIT
Repo: https://github.com/i7media/mojoportal
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

438f8647ebc8f47839f73a1b6cd7a498497531df

Affected versions

v.*

v.2.9.0.0

v2.*

v2.4.0.9

v2.4.1.0

v2.5.0.0

v2.6.0.0

v2.7.0.0

v2.9.0.1

v2.9.1.0