CVE-2025-28367 is a directory traversal vulnerability affecting mojoPortal versions up to and including 2.9.0.1. The flaw exists in the BetterImageGallery API Controller, specifically in the ImageHandler action. An attacker can exploit this vulnerability by crafting a malicious request that traverses directories on the server, enabling unauthorized access to sensitive files outside the intended directory scope. The primary impact demonstrated is the ability to access the Web.Config file, which contains critical configuration data including the MachineKey. The MachineKey is used for cryptographic operations such as view state validation and forms authentication in ASP.NET applications. Exposure of this key can lead to further attacks, including forging authentication tokens or tampering with encrypted data. The vulnerability does not require authentication or user interaction but has a high attack complexity, as indicated by the CVSS vector (AV:N/AC:H/PR:N/UI:N). The vulnerability impacts confidentiality significantly (high confidentiality impact), with limited integrity impact and no direct availability impact. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-284 (Improper Access Control), highlighting insufficient restrictions on resource access. Given the nature of the vulnerability, it is critical for affected installations to assess exposure and implement mitigations promptly to prevent unauthorized disclosure of sensitive configuration data.

For European organizations using mojoPortal CMS up to version 2.9.0.1, this vulnerability poses a significant risk to confidentiality of sensitive configuration data, particularly the MachineKey. Disclosure of the MachineKey can undermine the security of authentication mechanisms, potentially allowing attackers to forge authentication tokens or decrypt sensitive information. This could lead to unauthorized access to internal systems or user data, increasing the risk of data breaches and compliance violations under regulations such as GDPR. The integrity of the system could be indirectly affected if attackers leverage the MachineKey to manipulate encrypted data or session tokens. While availability is not directly impacted, the breach of confidentiality and potential downstream attacks could disrupt business operations. Organizations in sectors with high reliance on web applications for customer interaction, such as finance, healthcare, and public services, are particularly at risk. The absence of known exploits in the wild provides a window for proactive mitigation, but the medium CVSS score and high confidentiality impact warrant urgent attention.

1. Immediate mitigation should include restricting access to the BetterImageGallery API Controller and specifically the ImageHandler action via web server configuration or application-level access controls to prevent unauthorized requests. 2. Implement input validation and sanitization to block directory traversal sequences in API requests. 3. Monitor web server logs for suspicious requests attempting directory traversal patterns targeting the ImageHandler endpoint. 4. Isolate or restrict access to the Web.Config file at the file system and web server level to prevent unauthorized read access. 5. Rotate the MachineKey and any related cryptographic keys immediately if exposure is suspected or confirmed to invalidate any compromised tokens or encrypted data. 6. Upgrade mojoPortal to a patched version once available or apply vendor-provided fixes promptly. 7. Employ web application firewalls (WAFs) with custom rules to detect and block directory traversal attempts targeting this vulnerability. 8. Conduct a thorough security review of all API endpoints to identify and remediate similar access control weaknesses. 9. Educate development and operations teams about secure coding practices related to access control and input validation to prevent recurrence.