cbcvebase.
CVE-2023-34843
published 2023-06-29

CVE-2023-34843: Traggo Server 0.3.0 is vulnerable to directory traversal via a crafted GET request.

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
7.18%
93.5th percentile
Traggo Server 0.3.0 is vulnerable to directory traversal via a crafted GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
traggotraggo

Detection & IOCsextracted from sources · hover to see the quote

url/static/..%5c..%5c..%5c..%5cetc/passwd
path/static/
  • Send a crafted GET request to the /static/ endpoint using URL-encoded backslash traversal sequences (..%5c) to escape the web root and read /etc/passwd.
  • A successful exploit returns HTTP 200 with Content-Type: text/plain and a body matching the pattern 'root:.*:0:0', indicating /etc/passwd was served.
  • Identify exposed Traggo Server instances via Shodan or FOFA using the 'traggo' HTML fingerprint before probing for the traversal.
  • ·The traversal payload uses URL-encoded backslashes (%5c), suggesting the vulnerability is exploitable on Windows-style path handling or a server that decodes %5c as a path separator. Verify target OS behaviour before testing.
  • ·Vulnerability is confirmed only for Traggo Server version 0.3.0 (CPE: cpe:2.3:a:traggo:traggo:0.3.0).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.