CVE-2025-28367
published 2025-04-21CVE-2025-28367: mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this…
PriorityP276medium6.5CVSS 3.1
AVNACHPRNUINSUCHILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.13%
79.6th percentile
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mojoportal | mojoportal | < 2.9.1.0 | 2.9.1.0 |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_golang_1.15.13-1_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting the BetterImageGallery API Controller's ImageHandler action for directory traversal sequences (e.g., '../', '%2e%2e%2f') that attempt to reach Web.Config or other sensitive files outside the web root. ↗
- →Alert on any HTTP 200 responses from the BetterImageGallery ImageHandler endpoint that serve content matching Web.Config structure, as this indicates successful MachineKey exfiltration. ↗
- →The nuclei-style template for this CVE checks for HTTP status 200 as a positive detection signal against mojoPortal instances; correlate 200 responses on ImageHandler traversal paths as a detection trigger.
- ·Successful exploitation yields the ASP.NET MachineKey from Web.Config, which can be leveraged for ViewState deserialization attacks or forging authentication tokens — treat any exposed MachineKey as fully compromised and rotate immediately. ↗
- ·All mojoPortal versions up to and including 2.9.0.1 are affected; ensure patching or removal of the BetterImageGallery component on any exposed instance. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
vulncheck6.5MEDIUM
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q332-7cfx-q6r5: mojoPortal <=2
ghsa_unreviewed·2025-04-21
CVE-2025-28367 [MEDIUM] CWE-284 GHSA-q332-7cfx-q6r5: mojoPortal <=2
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
VulnCheck
mojoportal mojoportal Improper Access Control
vulncheck·2025·CVSS 6.5
CVE-2025-28367 [MEDIUM] mojoportal mojoportal Improper Access Control
mojoportal mojoportal Improper Access Control
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
Affected: mojoPortal mojoPortal CMS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-28367; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-06-24&host_type=src&vulnerability=cve-2025-28367; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-06-28&host_type=src&vulnerability=cve-20
Microsoft
Arbitrary code execution via the go command with cgo in cmd/go
vendor_msrc·2020-11-10·CVSS 7.5
CVE-2020-28367 [HIGH] CWE-94 Arbitrary code execution via the go command with cgo in cmd/go
Arbitrary code execution via the go command with cgo in cmd/go
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://lear
No detection rules found.
Nuclei
mojoPortal <=2.9.0.1 - Directory Traversal
nuclei·CVSS 6.5
CVE-2025-28367 [MEDIUM] mojoPortal <=2.9.0.1 - Directory Traversal
mojoPortal "
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022035a6d2013d2342ec9c13a4290c114e9da4f96d228d8f8da0bd1fb1132e08915f022100ada0f8f480e6b696c10d3649341a6b6ffcc483eca16e91ba7eb908b4b24e1b78:922c64590222798bb761d5b6d8e72950
2025-04-21
Published
Exploited in the wild