A high-severity vulnerability has been identified in multiple dedalx products, including Cook&Meal. This flaw allows an attacker to trick the application into accessing and displaying the contents of sensitive files on the server, a technique known as Local File Inclusion (LFI). Successful exploitation could lead to data breaches, disclosure of confidential information, and potentially a full system compromise.

The vulnerability exists due to an improper control of filenames used in PHP's include() or require() statements. An unauthenticated remote attacker can manipulate input parameters that specify file paths to include directory traversal sequences (e.g., ../../..). This allows the attacker to break out of the intended directory and force the application to read and execute arbitrary files from the local server filesystem, such as configuration files containing credentials (/etc/passwd, wp-config.php) or application source code. In certain server configurations, this flaw could be escalated to achieve remote code execution.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have a significant negative impact on the business. The primary risks include the breach of confidential data, such as customer information, intellectual property, and system credentials, leading to regulatory fines and reputational damage. If an attacker achieves code execution, they could take complete control of the server, disrupt business operations, or use the compromised system as a pivot point to attack other internal network resources.

Immediate Action: Organizations must apply the security updates provided by the vendor, dedalx, to all affected systems without delay. After patching, it is crucial to review web server and application access logs for any signs of exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring: Security teams should configure monitoring tools to detect and alert on LFI attack patterns. In web server logs, look for requests containing directory traversal sequences (../, %2e%2e/), null byte characters (%00), and attempts to access common sensitive files. A Web Application Firewall (WAF) or Intrusion Detection System (IDS) should be configured with rulesets to identify and block such malicious requests in real-time.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Deploy a WAF with strict rules to block directory traversal and file inclusion patterns.
• Harden the server's PHP configuration by setting allow_url_include to Off and restricting file access to necessary directories using the open_basedir directive.
• Enforce the principle of least privilege for the web server's user account to limit the scope of files an attacker can access.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the potential for complete system compromise, this vulnerability poses a significant risk to the organization. We strongly recommend that all affected dedalx products are patched immediately. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion. Organizations should treat this as an urgent priority and implement the recommended remediation and monitoring actions to prevent potential exploitation.