cbcvebase.
CVE-2021-28377
published 2022-01-12

CVE-2021-28377: ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary files.

PriorityP349medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
8.23%
94.2th percentile
ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary files.

Affected

1 ranges
VendorProductVersion rangeFixed in
chronoenginechronoforums

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/index.php/component/chronoforums2/profiles/avatar/u1?tvout=file&av=../../../../../../../etc/passwd
path/index.php/component/chronoforums2/profiles/avatar/u1
  • Detect unauthenticated GET requests to the ChronoForums avatar endpoint with 'tvout=file' and path traversal sequences in the 'av' parameter.
  • A successful exploitation returns HTTP 200 with content matching 'root:.*:0:0:' in the response body, indicating /etc/passwd file disclosure.
  • The vulnerability is unauthenticated — no session or credentials are required to exploit the path traversal via the avatar function.
  • Attackers may target the Joomla! configuration file (which contains credentials) via the same traversal vector.
  • ·The traversal depth used in the PoC is 7 levels (../../../../../../..), which may need to be adjusted depending on the server's directory depth for the Joomla! installation.
  • ·The exploit requires no authentication (PR:N, UI:N per CVSS), meaning it is exploitable by any unauthenticated remote attacker against exposed Joomla! instances running ChronoForums 2.0.11.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.