A high-severity vulnerability has been identified in multiple Talemy Spirit products, allowing for Local File Inclusion (LFI). An unauthenticated attacker could exploit this flaw to read sensitive files from the underlying server, potentially exposing confidential data, system configurations, and user credentials. This exposure could lead to further system compromise and significant data breaches.

The vulnerability exists due to an improper control of filenames used in PHP's include or require statements. An attacker can manipulate an input parameter, likely a URL parameter, to specify a local file path on the server. The application fails to properly sanitize this input, causing it to include and potentially execute or display the contents of the specified file. For example, an attacker could use directory traversal sequences (../) to access files outside of the web root, such as /etc/passwd or application configuration files containing database credentials.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to the disclosure of highly sensitive information, including intellectual property, customer data, and system credentials. This data leakage can result in significant financial loss, reputational damage, and potential regulatory fines for non-compliance with data protection standards. If an attacker can leverage this LFI to read files that enable further attacks (e.g., private keys, session files), it could serve as a pivot point for a full system compromise.

Immediate Action:

• Apply Patches: Immediately apply the security updates provided by Talemy Spirit across all affected products to permanently resolve the vulnerability.
• Monitor and Review: Actively monitor for exploitation attempts by reviewing web server access logs and application logs for suspicious patterns indicative of LFI attacks.

Proactive Monitoring:

• Log Analysis: Search web server logs for directory traversal patterns (e.g., ../, ..%2F), requests for common sensitive files (e.g., /etc/passwd, wp-config.php, web.config), and the use of PHP wrappers like php://filter.
• IDS/IPS: Ensure Intrusion Detection/Prevention Systems are updated with signatures that can detect and block LFI attempts.
• File Integrity Monitoring (FIM): Use FIM on critical system and application files to detect any unauthorized changes that could result from a chained attack.

Compensating Controls:

• Web Application Firewall (WAF): Implement a WAF with a robust ruleset to filter malicious requests containing directory traversal sequences and other LFI payloads.
• Input Validation: If possible, implement stricter input validation at the application or reverse proxy level to ensure that user-supplied data for file operations does not contain path-related characters.
• Harden Permissions: Restrict the web server's file system permissions to the bare minimum required for operation, preventing it from accessing sensitive system files outside of the web root directory.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the critical nature of information disclosure vulnerabilities, it is strongly recommended that organizations prioritize the immediate application of vendor-supplied patches. While there is no current evidence of active exploitation, vulnerabilities of this type are frequently targeted by attackers. If immediate patching is not feasible, implement the recommended compensating controls, such as deploying a WAF and hardening file permissions, to reduce the attack surface while planning for a swift patching cycle.