cbcvebase.
CVE-2025-28367
published 2025-04-21

CVE-2025-28367: mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this…

PriorityP276medium6.5CVSS 3.1
AVNACHPRNUINSUCHILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.13%
79.6th percentile
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.

Affected

8 ranges
VendorProductVersion rangeFixed in
mojoportalmojoportal< 2.9.1.02.9.1.0
msrcazl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0
msrcazl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_golang_1.15.13-1_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

pathWeb.Config
  • Monitor HTTP requests targeting the BetterImageGallery API Controller's ImageHandler action for directory traversal sequences (e.g., '../', '%2e%2e%2f') that attempt to reach Web.Config or other sensitive files outside the web root.
  • Alert on any HTTP 200 responses from the BetterImageGallery ImageHandler endpoint that serve content matching Web.Config structure, as this indicates successful MachineKey exfiltration.
  • The nuclei-style template for this CVE checks for HTTP status 200 as a positive detection signal against mojoPortal instances; correlate 200 responses on ImageHandler traversal paths as a detection trigger.
  • ·Successful exploitation yields the ASP.NET MachineKey from Web.Config, which can be leveraged for ViewState deserialization attacks or forging authentication tokens — treat any exposed MachineKey as fully compromised and rotate immediately.
  • ·All mojoPortal versions up to and including 2.9.0.1 are affected; ensure patching or removal of the BetterImageGallery component on any exposed instance.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
vulncheck6.5MEDIUM
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.