Vulnerabilities > CVE-2023-25802 - Exposure of Resource to Wrong Sphere vulnerability in Roxy-Wi
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a patch for this issue.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/hap-wi/roxy-wi/commit/0054f25da7cf8c7480452f48e39308b5e392dc67
- https://github.com/hap-wi/roxy-wi/commit/0054f25da7cf8c7480452f48e39308b5e392dc67
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-qcmp-q5h3-784m
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-qcmp-q5h3-784m