cbcvebase.
CVE-2023-31059
published 2023-04-24

CVE-2023-31059: Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php.

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.57%
91.9th percentile
Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
repetier-serverrepetier-server<= 1.4.10

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/views..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cProgramData%5cRepetier-Server%5cdatabase%5cuser.sql%20/base/connectionLost.php
pathProgramData\Repetier-Server\database\user.sql
filenameconnectionLost.php
  • Detect directory traversal attempts against Repetier Server by looking for '..%5c' sequences in HTTP GET request paths, particularly targeting the /views path prefix.
  • Match HTTP 200 responses whose body begins with the SQLite magic bytes (53514C69746520666F726D617420 3300) to confirm successful credential file exfiltration via traversal.
  • Use Shodan/FOFA queries 'title:"Repetier-Server"' or 'title="Repetier-Server"' to identify exposed instances for proactive scanning.
  • Flag HTTP GET requests where the URL path contains the pattern '/views..%5c' followed by repeated '..%5c' traversal sequences as exploitation attempts for CVE-2023-31059.
  • ·Repetier Server runs as SYSTEM on Windows; successful exploitation of this directory traversal (CVE-2023-31059) chained with CVE-2023-31060 results in full system compromise, not just credential disclosure.
  • ·The traversal payload targets a Windows path (ProgramData); detection rules should account for URL-encoded backslashes (%5c) rather than forward slashes, as this is Windows-specific.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.