A high-severity vulnerability has been identified in multiple Michele Giorgi products, including Formality. This flaw, a Local File Inclusion, could allow an unauthenticated remote attacker to read sensitive files from the underlying server, potentially exposing system configurations, credentials, and other confidential data, and may lead to further system compromise.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement, commonly known as Local File Inclusion (LFI). The application uses user-supplied input to construct a file path for a PHP include or require statement without proper validation or sanitization. An attacker can exploit this by manipulating the input with directory traversal sequences (e.g., ../) to force the application to include and display the contents of arbitrary files from the server's filesystem. This could expose sensitive information such as source code, configuration files containing credentials (e.g., wp-config.php), or system files (e.g., /etc/passwd). In certain configurations, this LFI could be escalated to achieve remote code execution.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could lead to a significant data breach, exposing sensitive corporate data, customer information, or intellectual property stored on the server. The disclosure of configuration files could provide attackers with credentials to other systems, such as databases, leading to a wider compromise of the organization's infrastructure. The potential for reputational damage, regulatory fines, and loss of customer trust is substantial.

Immediate Action: Apply vendor security updates immediately upon availability. After patching, it is critical to monitor for any signs of post-patch exploitation attempts and thoroughly review web server access logs for any activity that occurred prior to the patch being applied.

Proactive Monitoring: Security teams should actively monitor web server and application logs for suspicious patterns indicative of LFI exploitation attempts. Look for directory traversal strings such as ../, ..%2f, ..\/, or encoded variations within URL parameters and other user-controlled input. Monitor for unexpected file access attempts by the web server process on the host system.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Utilize a Web Application Firewall (WAF) with rules specifically designed to detect and block directory traversal and file inclusion attacks.
• Enforce strict file system permissions to limit the files that the web server user account can read, thereby restricting the impact of a successful LFI attack.
• Ensure the PHP open_basedir directive is configured to restrict the file paths that PHP can access.

Public Exploit Available: false

Due to the high severity (CVSS 8.1) of this vulnerability, immediate action is required. Organizations using the affected Michele Giorgi products must prioritize the deployment of vendor-supplied security patches to prevent potential data breaches and system compromise. While this CVE is not currently on the CISA KEV list, its high impact score makes it a prime candidate for future inclusion. If patching is delayed, the compensating controls outlined above should be implemented immediately to reduce the attack surface.