Total
8 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-31459 | 2024-05-14 | N/A | 8.0 HIGH | ||
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue. | |||||
CVE-2024-1600 | 2024-04-10 | N/A | 9.3 CRITICAL | ||
A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, URL encoded. Successful exploitation allows the attacker to read any file on the filesystem accessible by the web server. This issue arises due to improper control of filename for include/require statement in the application. | |||||
CVE-2023-49084 | 1 Cacti | 1 Cacti | 2024-03-18 | N/A | 8.8 HIGH |
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server. | |||||
CVE-2024-0315 | 1 Fireeye | 1 Central Management | 2024-02-05 | N/A | 7.8 HIGH |
Remote file inclusion vulnerability in FireEye Central Management affecting version 9.1.1.956704. This vulnerability allows an attacker to upload a malicious PDF file to the system during the report creation process. | |||||
CVE-2023-3452 | 1 Canto | 1 Canto | 2024-02-05 | N/A | 9.8 CRITICAL |
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server. | |||||
CVE-2023-4195 | 1 Agentejo | 1 Cockpit | 2024-02-05 | N/A | 8.8 HIGH |
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | |||||
CVE-2022-4606 | 1 Flatpress | 1 Flatpress | 2024-02-04 | N/A | 9.8 CRITICAL |
PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3. | |||||
CVE-2020-5295 | 1 Octobercms | 1 October | 2024-02-04 | 4.0 MEDIUM | 4.9 MEDIUM |
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466). |