Total
20 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-52325 | 1 Trendmicro | 1 Apex Central | 2024-09-12 | N/A | 7.5 HIGH |
A local file inclusion vulnerability in one of Trend Micro Apex Central's widgets could allow a remote attacker to execute arbitrary code on affected installations. Please note: this vulnerability must be used in conjunction with another one to exploit an affected system. In addition, an attacker must first obtain a valid set of credentials on target system in order to exploit this vulnerability. | |||||
CVE-2024-8252 | 1 Codection | 1 Clean Login | 2024-09-03 | N/A | 8.8 HIGH |
The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
CVE-2024-6589 | 1 Thimpress | 1 Learnpress | 2024-08-26 | N/A | 8.8 HIGH |
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.6.8.2 via the 'render_content_block_template' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
CVE-2024-5762 | 1 Zen-cart | 1 Zen Cart | 2024-08-23 | N/A | 8.1 HIGH |
Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the findPluginAdminPage function. The issue results from the lack of proper validation of user-supplied data prior to passing it to a PHP include function. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. Was ZDI-CAN-21408. | |||||
CVE-2024-43261 | 2024-08-19 | N/A | 9.6 CRITICAL | ||
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar Compute Links allows PHP Remote File Inclusion.This issue affects Compute Links: from n/a through 1.2.1. | |||||
CVE-2024-4359 | 2024-08-12 | N/A | 6.5 MEDIUM | ||
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lack of sufficient file validation in the render_svg function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
CVE-2024-30849 | 2024-08-01 | N/A | 9.8 CRITICAL | ||
Arbitrary file upload vulnerability in Sourcecodester Complete E-Commerce Site v1.0, allows remote attackers to execute arbitrary code via filename parameter in admin/products_photo.php. | |||||
CVE-2024-21687 | 2024-08-01 | N/A | 8.1 HIGH | ||
This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). This vulnerability was reported via our Bug Bounty program. | |||||
CVE-2024-36569 | 2024-07-03 | N/A | 8.1 HIGH | ||
Sourcecodester Gas Agency Management System v1.0 is vulnerable to arbitrary code execution via editClientImage.php. | |||||
CVE-2024-33863 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
An issue was discovered in linqi before 1.4.0.1 on Windows. There is /api/Cdn/GetFile local file inclusion. | |||||
CVE-2024-4315 | 2024-06-13 | N/A | 9.1 CRITICAL | ||
parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including `personalities` and `/del_preset`, to read or delete any file on the Windows filesystem, compromising the system's availability. | |||||
CVE-2024-36415 | 1 Salesagility | 1 Suitecrm | 2024-06-12 | N/A | 8.8 HIGH |
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
CVE-2024-35650 | 1 Melapress | 1 Melapress Login Security | 2024-06-12 | N/A | 7.2 HIGH |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Melapress MelaPress Login Security allows PHP Remote File Inclusion.This issue affects MelaPress Login Security: from n/a through 1.3.0. | |||||
CVE-2024-35629 | 1 Wow-company | 1 Easy Digital Downloads | 2024-06-10 | N/A | 9.8 CRITICAL |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads – Recent Purchases allows PHP Remote File Inclusion.This issue affects Easy Digital Downloads – Recent Purchases: from n/a through 1.0.2. | |||||
CVE-2024-31459 | 2024-06-10 | N/A | 8.0 HIGH | ||
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue. | |||||
CVE-2023-49084 | 1 Cacti | 1 Cacti | 2024-06-10 | N/A | 8.8 HIGH |
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server. | |||||
CVE-2024-1600 | 2024-04-10 | N/A | 9.3 CRITICAL | ||
A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, URL encoded. Successful exploitation allows the attacker to read any file on the filesystem accessible by the web server. This issue arises due to improper control of filename for include/require statement in the application. | |||||
CVE-2024-0315 | 1 Fireeye | 1 Central Management | 2024-02-28 | N/A | 7.8 HIGH |
Remote file inclusion vulnerability in FireEye Central Management affecting version 9.1.1.956704. This vulnerability allows an attacker to upload a malicious PDF file to the system during the report creation process. | |||||
CVE-2023-4195 | 1 Agentejo | 1 Cockpit | 2024-02-28 | N/A | 8.8 HIGH |
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | |||||
CVE-2022-4606 | 1 Flatpress | 1 Flatpress | 2024-02-28 | N/A | 9.8 CRITICAL |
PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3. |