A high-severity vulnerability has been identified in multiple products from the vendor "Improper," specifically impacting the InPost Gallery software. This flaw could allow an unauthenticated remote attacker to trick the application into including and executing unintended files on the server. Successful exploitation could lead to sensitive information disclosure, unauthorized system access, or complete system compromise.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement, a classic PHP File Inclusion flaw. The application uses user-supplied input (likely a URL parameter) to construct a file path for a PHP include or require statement without proper sanitization. An attacker can exploit this by providing directory traversal sequences (e.g., ../../..) in the input to navigate the file system and include arbitrary local files, resulting in a Local File Inclusion (LFI). This could allow the attacker to read sensitive files such as configuration files containing credentials (wp-config.php), system user files (/etc/passwd), or application source code. In some scenarios, if the attacker can also control the contents of a file on the server (e.g., through a file upload or log poisoning), this LFI can be escalated to achieve remote code execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 7.5, posing a significant risk to the organization. Exploitation can directly lead to the breach of confidential data, including customer information, intellectual property, and system credentials, which could result in regulatory penalties and reputational damage. If escalated to remote code execution, an attacker could gain full control over the affected server, using it as a pivot point to move laterally within the network, disrupt business operations, or deploy ransomware.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately across all affected systems. After patching, system administrators should actively monitor for any signs of exploitation attempts by reviewing web server and application access logs for unusual requests or errors.

Proactive Monitoring: Security teams should configure monitoring and alerting for suspicious patterns in web server logs indicative of LFI attempts. This includes searching for directory traversal strings like ../, ..%2f, and ..\ within URL query parameters. Additionally, monitor for unexpected file access on the server by the web service account and any unusual outbound network connections from the web server.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a ruleset designed to detect and block LFI and directory traversal attacks. Further, harden the server's PHP configuration by ensuring allow_url_fopen and allow_url_include are disabled to prevent remote file inclusion, and enforce strict file system permissions to limit the web server's read access to only necessary directories.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and the potential for complete system compromise, it is strongly recommended that the vendor-supplied patches be applied as a top priority. Although this CVE is not currently listed on the CISA KEV catalog, its nature as a file inclusion flaw makes it an attractive target for threat actors. If patching is delayed for any reason, the compensating controls outlined above, particularly the use of a Web Application Firewall, should be implemented immediately to reduce the risk of exploitation.