cbcvebase.
CVE-2023-26469
published 2023-08-17

CVE-2023-26469: In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.92%
99.6th percentile
In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
joranijorani

Detection & IOCsextracted from sources · hover to see the quote

otherhttp.favicon.hash:-2032163853
othericon_hash=-2032163853
url/session/login
path..%2F..%2Fapplication%2Flogs
cookiecsrf_test_jorani
  • The exploit chains three vulnerabilities: log poisoning, redirection bypass via header spoofing, and path traversal to achieve unauthenticated RCE. Detection should look for path traversal sequences in the `language` POST parameter targeting `/session/login`.
  • Monitor POST requests to `/session/login` where the `language` parameter contains directory traversal sequences (e.g., `../`) pointing to application log directories.
  • Monitor GET requests to `/pages/view/log-<date>` with the `X-REQUESTED-WITH: XMLHttpRequest` header, which is used to trigger log file inclusion after log poisoning.
  • A 401 HTTP response status combined with the RCE payload marker string `7cca0844e81cd333152def045fe075c2` in the response body is the exploit success condition used in the Nuclei template.
  • The exploit is unauthenticated and affects Jorani prior to version 1.0.2; prioritize detection on internet-exposed Jorani instances identifiable via Shodan favicon hash -2032163853.
  • ·The `CipheredValue=DummyPassword` field in the POST body is a placeholder used by the PoC/template and does not represent a real credential; actual exploitation may use different values.
  • ·The EPSS score of 0.92657 (99.748th percentile) indicates very high exploitation probability in the wild; this CVE should be treated as actively exploited.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.