A high-severity vulnerability has been identified in multiple MadrasThemes MAS products, including MAS Videos. This flaw, a Local File Inclusion (LFI), allows an attacker to trick the web server into accessing and displaying the contents of sensitive files on the server. Successful exploitation could lead to the exposure of confidential data, system credentials, and potentially a full system compromise.

The vulnerability exists due to improper input validation on a parameter used in a PHP include() or require() function. An attacker can manipulate this parameter using directory traversal sequences (e.g., ../) to force the application to include and execute or display arbitrary local files from the server's file system. For example, an attacker could craft a URL like http://example.com/vulnerable_script.php?file=../../../../etc/passwd to read the system's user list, or access configuration files containing database credentials. This can lead to sensitive information disclosure and provide a foothold for further attacks.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to significant business impact, including the breach of sensitive company or customer data, disclosure of application source code, and exposure of system configuration details and credentials. These outcomes can result in regulatory fines, reputational damage, and loss of customer trust. If an attacker can leverage this vulnerability to read files that enable further compromise, it could lead to a complete takeover of the affected server.

Immediate Action: Apply the security updates provided by MadrasThemes MAS to all affected products immediately. After patching, it is critical to review web server access logs for any requests indicating exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Monitor web server and WAF (Web Application Firewall) logs for suspicious requests containing directory traversal patterns like ../, ..%2f, or absolute file paths in URL parameters. Monitor for outbound traffic to unusual destinations, which could indicate a successful compromise. File Integrity Monitoring (FIM) can also be used to detect unauthorized changes to critical files.

Compensating Controls: If patching cannot be performed immediately, implement a WAF with a strict ruleset to detect and block LFI and path traversal attacks. Harden the PHP server configuration by ensuring allow_url_include is disabled and by using the open_basedir directive to limit the files that PHP can access. Ensure the web server process runs with the lowest possible privileges to limit the impact of a successful file inclusion.

Public Exploit Available: true

Given the high severity (CVSS 7.5) of this vulnerability and the public availability of exploit code, we recommend that organizations prioritize the immediate application of vendor-supplied patches to all affected MadrasThemes MAS products. This vulnerability presents a clear and present danger of sensitive data exposure. Even though it is not currently listed on the CISA KEV catalog, its characteristics make it a prime target for attackers. The recommended compensating and monitoring controls should be implemented to provide layered defense and detect potential compromise.