A high-severity vulnerability has been discovered in multiple designervily Karzo products, identified as a Local File Inclusion (LFI) flaw. This vulnerability could allow an unauthenticated remote attacker to read sensitive files on the server, such as configuration files or user data. Successful exploitation could lead to information disclosure, credential theft, and further system compromise.

The vulnerability exists due to an improper control of filenames used in PHP include or require statements within the affected Karzo products. An attacker can exploit this by manipulating a user-supplied input parameter to specify a path to a local file on the server. The application will then include and display the contents of the specified file, allowing an unauthenticated remote attacker to read arbitrary files on the server's filesystem, such as configuration files containing credentials, system user information, or application source code.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could lead to significant business impact, including the exposure of sensitive corporate data, customer information, and intellectual property. An attacker could potentially retrieve credentials from configuration files, leading to unauthorized access to other internal systems and databases. This breach of confidentiality and integrity can result in severe reputational damage, regulatory fines, and financial loss.

Immediate Action: Organizations must prioritize the immediate application of security updates provided by designervily Karzo across all affected products. After patching, it is crucial to review web server and application logs for any signs of exploitation attempts that may have occurred before the patch was applied.

Proactive Monitoring: Implement continuous monitoring of web server access logs for suspicious requests containing directory traversal patterns (e.g., ../, ..%2F) or attempts to access sensitive system files (e.g., /etc/passwd, C:\Windows\win.ini). Utilize a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion (LFI) attack patterns.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Deploy a Web Application Firewall (WAF) to filter malicious input and block LFI attempts. Harden the underlying server by enforcing strict file permissions to limit the web server process's access to sensitive files outside the web root directory.

Public Exploit Available: false

Given the high severity (CVSS 8.1) of this vulnerability and the potential for severe data compromise, we strongly recommend that all organizations using affected designervily Karzo products apply the vendor-supplied security patches immediately as the primary mitigation. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its nature makes it an attractive target for attackers. Proactive patching is the most effective defense to prevent potential exploitation and protect sensitive corporate assets.