CVE-2023-31718

FUXA is a web-based SCADA/HMI platform for industrial automation and real-time process visualization [1]. The /api/download endpoint, intended for downloading reports, is vulnerable to Local File Inclusion (LFI) due to insufficient validation of the name parameter. An attacker can supply path traversal sequences (e.g., ../../../../../../etc/passwd) to read arbitrary files from the server filesystem [3].

Exploitation requires no authentication; a simple HTTP GET request to /api/download?cmd=REPORT-DOWNLOAD&name=../../../../../../etc/passwd suffices. The vulnerability affects all FUXA versions up to and including 1.1.12 [3].

Successful exploitation allows an attacker to read sensitive files such as system configuration files, application secrets, and user credentials, potentially leading to further compromise of the server and connected industrial systems.

Users should upgrade to a patched version of FUXA beyond 1.1.12. As of the publication date, the project maintainers have not released an official advisory, but the issue is documented in public repositories [1][3].