CVE-2023-3643

HIGH NUCLEI

Boss Mini 1.4.0 Build 6221 - File Inclusion

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-3643. PoCs published by andersoncezar048. A Nuclei detection template is also available.

AI-analyzed exploit summary This Python script exploits a Local File Inclusion (LFI) vulnerability in Boss Mini v1.4.0 by sending a crafted POST request to the '/boss/servlet/document' endpoint with a URL-encoded file path, allowing arbitrary file read access.

Description

A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document. The manipulation of the argument path leads to file inclusion. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-233889 was assigned to this vulnerability.

Exploits (1)

exploitdb WORKING POC

by andersoncezar048 · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52482

View Code ZIP pw:eip

This Python script exploits a Local File Inclusion (LFI) vulnerability in Boss Mini v1.4.0 by sending a crafted POST request to the '/boss/servlet/document' endpoint with a URL-encoded file path, allowing arbitrary file read access.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Boss Mini v1.4.0 (Build 6221)

No auth needed

Prerequisites: network access to the target application

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 16, 2026 Full analysis →

Nuclei Templates (1)

CAREL Boss Mini <= 1.4.0 - Local File Inclusion

CRITICALVERIFIEDby Kazgangap

FOFA: icon_hash=="1092427843"

References (3)

Core 3

Core References

Third Party Advisory vdb-entry technical-description

https://vuldb.com/?id.233889

Third Party Advisory signature permissions-required

https://vuldb.com/?ctiid.233889

Exploit, Third Party Advisory exploit

https://drive.google.com/file/d/1RXmDUAjqZvWSvHUrfRerz7My6M3KX7YG/view

Scores

CVSS v3 7.3

EPSS 0.7521

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-73

Status published

Products (1)

carel/boss_mini_firmware 1.4.0 build_6221

Published Jul 12, 2023

Tracked Since Feb 18, 2026