EduSoho Arbitrary File Read Vulnerability in Classroom Course Statistics

A vulnerability allowing arbitrary file reading has been identified in EduSoho versions prior to 22.4.7. This issue resides within the classroom-course-statistics export functionality, where a remote, unauthenticated attacker can exploit path traversal sequences in the fileNames[] parameter. This exploitation can lead to the unauthorized reading of files from the server's filesystem, including sensitive application configuration files such as config/parameters.yml, which may contain secret values and database credentials. Evidence of this vulnerability's exploitation was observed on January 19, 2026.

Impact

Successful exploitation of this vulnerability allows for unauthorized access to arbitrary files on the server, including sensitive configuration files that could lead to further exploitation, such as remote code execution.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /export/classroom-course-statistics endpoint with a crafted fileNames[] parameter that includes path traversal sequences. This request can be made using tools like curl or Postman, or through a web browser with the appropriate headers.

Remediation

Users are advised to upgrade to EduSoho version 22.4.7 or later, where this vulnerability has been fixed.