CVE-2023-3643
published 2023-07-12CVE-2023-3643: A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.21%
99.4th percentile
A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document. The manipulation of the argument path leads to file inclusion. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-233889 was assigned to this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| carel | boss_mini_firmware | — | — |
| carel | boss_mini_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /boss/servlet/document with a 'path' parameter containing file path values (e.g. /etc/passwd) — the core LFI trigger. ↗
- →Match HTTP 200 responses to the above POST request whose body contains the pattern root:.*:0:0: as evidence of successful /etc/passwd disclosure. ↗
- →Flag requests where the Referer header contains /boss/app/report/popup.html?/etc/passwd alongside a POST to /boss/servlet/document — this is the exact Referer pattern used by both public exploits. ↗
- →Use the FOFA icon hash 1092427843 to identify exposed CAREL Boss-Mini instances on the internet for proactive scanning. ↗
- ·Exploitation requires the attacker to already be present in the same network segment, despite the CVSS score reflecting network-level access; network segmentation is a meaningful mitigation. ↗
- ·Only Boss-Mini version 1.4.0 Build 6221 is confirmed affected; version 1.6.0 and later are patched. ↗
- ·The exploit POSTs URL-encoded (percent-encoded) file paths; detection rules must account for both raw and URL-encoded path values in the POST body. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6p6c-jp3p-772m: A vulnerability was found in Boss Mini 1
ghsa_unreviewed·2023-07-12
CVE-2023-3643 [HIGH] CWE-73 GHSA-6p6c-jp3p-772m: A vulnerability was found in Boss Mini 1
A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document. The manipulation of the argument path leads to file inclusion. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-233889 was assigned to this vulnerability.
CISA ICS
CAREL Boss-Mini
cisa_ics·2024-06-20·CVSS 7.3
[HIGH] CAREL Boss-Mini
ICS Advisory
##
CAREL Boss-Mini
Release DateJune 20, 2024
Alert CodeICSA-24-172-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: CAREL
- Equipment: Boss-Mini
- Vulnerability: Path Traversal
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to manipulate an argument path, which would lead to information disclosure.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of CAREL Boss-Mini, a local supervisor solution, are affected:
- Boss-Mini: Version 1.4.0 (Build 6221)
## 3.2 Vulnerability Overview
## 3.2.1 I
No detection rules found.
Exploit-DB
Boss Mini v1.4.0 - Local File Inclusion (LFI)
exploitdb·2026-03-03·CVSS 7.3
CVE-2023-3643 [HIGH] Boss Mini v1.4.0 - Local File Inclusion (LFI)
Boss Mini v1.4.0 - Local File Inclusion (LFI)
---
# Exploit Title: Boss Mini v1.4.0 - Local File Inclusion (LFI)
# Date: 07/12/2023
# Exploit Author: nltt0
# Version: 1.4.0 (Build 6221)
# CVE: CVE-2023-3643
from requests import post
from urllib.parse import quote
from argparse import ArgumentParser
banner = r"""
_____ _ _____
/ __ \ | | / ___|
| / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--.
| | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \
| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ /
\____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/
__/ |
|___/
by nltt0 [https://github.com/nltt-br]
"""
print(banner)
try:
parser = ArgumentParser(description='Local file inclusion [Boss Mini]')
parser.add_argument('--domain', required=True, help='Application domain')
parser.add_argument('--file', requ
Exploit-DB
Boss Mini 1.4.0 - local file inclusion
exploitdb·2024-03-03·CVSS 7.3
CVE-2023-3643 [HIGH] Boss Mini 1.4.0 - local file inclusion
Boss Mini 1.4.0 - local file inclusion
---
# Exploit Title: Boss Mini 1.4.0 - local file inclusion
# Date: 07/12/2023
# Exploit Author: [nltt0] (https://github.com/nltt-br))
# CVE: CVE-2023-3643
'''
_____ _ _____
/ __ \ | | / ___|
| / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--.
| | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \
| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ /
\____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/
__/ |
|___/
'''
from requests import post
from urllib.parse import quote
from argparse import ArgumentParser
try:
parser = ArgumentParser(description='Local file inclusion [Boss Mini]')
parser.add_argument('--domain', required=True, help='Application domain')
parser.add_argument('--file', required=True, help='Local file')
args = parser.parse_args()
host = args.domai
Nuclei
CAREL Boss Mini <= 1.4.0 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2023-3643 [CRITICAL] CAREL Boss Mini <= 1.4.0 - Local File Inclusion
CAREL Boss Mini <= 1.4.0 - Local File Inclusion
Boss Mini 1.4.0 Build 6221 contains a file inclusion caused by manipulation of the 'path' argument in boss/servlet/document, letting remote attackers include arbitrary files, exploit requires remote access.
Template:
id: CVE-2023-3643
info:
name: CAREL Boss Mini <= 1.4.0 - Local File Inclusion
author: Kazgangap
severity: critical
description: |
Boss Mini 1.4.0 Build 6221 contains a file inclusion caused by manipulation of the 'path' argument in boss/servlet/document, letting remote attackers include arbitrary files, exploit requires remote access.
impact: |
Remote attackers can include arbitrary files, potentially leading to remote code execution or full system compromise.
remediation: |
Update to the latest version of Boss Mini or apply
No writeups or analysis indexed.
2023-07-12
Published