CVE-2017-1000029 CVSS:5.0
Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Local File Inclusion vulnerability, that makes it possible to include arbitrary files on the server, this vulnerability can be exploited without any prior authentication. (Last Update:2017-07-21) (Publish Update:2017-07-17)
CVE-2017-15583 CVSS:0.0
The embedded web server on ABB Fox515T 1.0 devices is vulnerable to Local File Inclusion. It accepts a parameter that specifies a file for display or for use as a template. The filename is not validated; an attacker could retrieve any file. (Last Update:2017-10-18) (Publish Update:2017-10-18)
CVE-2017-14509 CVSS:6.5
An issue was discovered in SugarCRM before, 7.8.x before, and 7.9.x before (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&url= query string. Proper input validation has been added to mitigate this issue. (Last Update:2017-09-22) (Publish Update:2017-09-17)
CVE-2017-14404 CVSS:5.0
The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows local file inclusion via the tool_list parameter (aka the url_tool variable) to module/tool_all/select_tool.php, as demonstrated by a tool_list=php://filter/ substring. (Last Update:2017-09-18) (Publish Update:2017-09-12)
CVE-2017-11658 CVSS:5.0
In the WP Rocket plugin 2.9.3 for WordPress, the Local File Inclusion mitigation technique is to trim traversal characters (..) -- however, this is insufficient to stop remote attacks and can be bypassed by using 0x00 bytes, as demonstrated by a .%00.../.%00.../ attack. (Last Update:2017-08-04) (Publish Update:2017-07-26)
CVE-2017-7282 CVSS:7.1
An issue was discovered in Unitrends Enterprise Backup before 9.1.1. The function downloadFile in api/includes/restore.php blindly accepts any filename passed to /api/restore/download as valid. This allows an authenticated attacker to read any file in the filesystem that the web server has access to, aka Local File Inclusion (LFI). (Last Update:2017-04-24) (Publish Update:2017-04-19)
CVE-2017-6774 CVSS:4.0
A vulnerability in Cisco ASR 5000 Series Aggregated Services Routers running the Cisco StarOS operating system could allow an authenticated, remote attacker to overwrite or modify sensitive system files. The vulnerability is due to the inclusion of sensitive system files within specific FTP subdirectories. An attacker could exploit this vulnerability by overwriting sensitive configuration files through FTP. An exploit could allow the attacker to overwrite configuration files on an affected system. Cisco Bug IDs: CSCvd47739. Known Affected Releases: 21.0.v0.65839. (Last Update:2017-08-25) (Publish Update:2017-08-17)
CVE-2017-6325 CVSS:6.0
The Symantec Messaging Gateway can encounter a file inclusion vulnerability, which is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. This file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. (Last Update:2017-07-06) (Publish Update:2017-06-26)
CVE-2017-5595 CVSS:2.1
A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request. (Last Update:2017-02-16) (Publish Update:2017-02-06)
CVE-2016-10399 CVSS:5.0
Sendio versions before 8.2.1 were affected by a Local File Inclusion vulnerability that allowed an unauthenticated, remote attacker to read potentially sensitive system files via a specially crafted URL. (Last Update:2017-08-07) (Publish Update:2017-07-27)
Click here for a complete list of security vulnerabilities. This vulnerability list widget is provided by