cbcvebase.
CVE-2023-3643
published 2023-07-12

CVE-2023-3643: A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.21%
99.4th percentile
A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document. The manipulation of the argument path leads to file inclusion. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-233889 was assigned to this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
carelboss_mini_firmware
carelboss_mini_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/boss/servlet/document
path/boss/servlet/document
commandpath=/etc/passwd
url/boss/app/report/popup.html?/etc/passwd
othericon_hash=="1092427843"
  • Detect POST requests to /boss/servlet/document with a 'path' parameter containing file path values (e.g. /etc/passwd) — the core LFI trigger.
  • Match HTTP 200 responses to the above POST request whose body contains the pattern root:.*:0:0: as evidence of successful /etc/passwd disclosure.
  • Flag requests where the Referer header contains /boss/app/report/popup.html?/etc/passwd alongside a POST to /boss/servlet/document — this is the exact Referer pattern used by both public exploits.
  • Use the FOFA icon hash 1092427843 to identify exposed CAREL Boss-Mini instances on the internet for proactive scanning.
  • ·Exploitation requires the attacker to already be present in the same network segment, despite the CVSS score reflecting network-level access; network segmentation is a meaningful mitigation.
  • ·Only Boss-Mini version 1.4.0 Build 6221 is confirmed affected; version 1.6.0 and later are patched.
  • ·The exploit POSTs URL-encoded (percent-encoded) file paths; detection rules must account for both raw and URL-encoded path values in the POST body.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.