CVE-2025-28367

Name of the Vulnerable Software and Affected Versions mojoPortal versions 2.9.0.1 and earlier

Description The issue allows an attacker to perform a Directory Traversal attack via the BetterImageGallery API Controller, specifically through the ImageHandler action. This can lead to unauthorized access to sensitive files, such as the Web.Config file, potentially exposing the MachineKey.

Recommendations For versions 2.9.0.1 and earlier, consider restricting access to the BetterImageGallery API Controller, specifically the ImageHandler action, until a patch is available. As a temporary workaround, limit the exposure of sensitive files like the Web.Config file to minimize the risk of exploitation.