A Local File Inclusion vulnerability in Goya Core allows authenticated contributors to bypass file system restrictions, posing a significant risk of unauthorized data exposure.

This is a Local File Inclusion (LFI) vulnerability triggered by insufficient input validation. The flaw requires the attacker to hold at least a 'Contributor' level authentication to successfully execute the file inclusion.

The vulnerability carries a CVSS score of 7.5, indicating a high severity risk. Successful exploitation could allow an attacker to read sensitive configuration files, credentials, or source code, potentially leading to a full system compromise. This represents a significant risk to data confidentiality and integrity.

Immediate Action: Update Goya Core to the latest patched version provided by Everthemess to eliminate the vulnerable code path.

Proactive Monitoring: Review web server and application logs for suspicious directory traversal patterns, such as sequences like "../" or null byte injections.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block directory traversal attempts targeting the application’s file-handling parameters.

Public Exploit Available: false

Given the potential for unauthorized file access, IT administrators must prioritize patching this vulnerability immediately. Organizations should audit user access rights to ensure that only trusted individuals hold contributor-level permissions until the patch is successfully applied.