{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T09:52:34.214","vulnerabilities":[{"cve":{"id":"CVE-2023-7335","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-01-22T17:15:53.117","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC)."},{"lang":"es","value":"Las versiones de EduSoho anteriores a la 22.4.7 contienen una vulnerabilidad de lectura arbitraria de archivos en la funcionalidad de exportación de estadísticas de cursos del aula. Un atacante remoto no autenticado puede proporcionar secuencias de salto de ruta manipuladas en el parámetro fileNames[] para leer archivos arbitrarios del sistema de archivos del servidor, incluyendo archivos de configuración de la aplicación como config/parameters.yml que pueden contener secretos y credenciales de la base de datos. Se observó evidencia de explotación por la Shadowserver Foundation el 19-01-2026 (UTC)."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://blog.csdn.net/qq_41904294/article/details/135007351","source":"disclosure@vulncheck.com"},{"url":"https://cn-sec.com/archives/2451582.html","source":"disclosure@vulncheck.com"},{"url":"https://github.com/edusoho/edusoho/releases/tag/v22.4.7","source":"disclosure@vulncheck.com"},{"url":"https://github.com/gobysec/GobyVuls/blob/master/CNVD-2023-03903.md","source":"disclosure@vulncheck.com"},{"url":"https://github.com/zeroChen00/exp-poc/blob/main/EduSoho%E6%95%99%E5%9F%B9%E7%B3%BB%E7%BB%9Fclassropm-course-statistics%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md","source":"disclosure@vulncheck.com"},{"url":"https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903","source":"disclosure@vulncheck.com"},{"url":"https://www.edusoho.com/","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics","source":"disclosure@vulncheck.com"}]}}]}