CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(File Inclusion) (CVSS score >= 3)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-17108 79 XSS File Inclusion 2019-10-08 2019-10-15
4.3
None Remote Medium Not required None Partial None
Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user.
2 CVE-2019-16679 22 Dir. Trav. File Inclusion 2019-09-21 2019-09-23
4.0
None Remote Low Single system Partial None None
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.
3 CVE-2019-15839 74 File Inclusion 2019-08-30 2019-09-05
5.0
None Remote Low Not required Partial None None
The sina-extension-for-elementor plugin before 2.2.1 for WordPress has local file inclusion.
4 CVE-2019-15322 20 File Inclusion 2019-08-22 2019-08-26
7.5
None Remote Low Not required Partial Partial Partial
The shortcode-factory plugin before 2.8 for WordPress has Local File Inclusion.
5 CVE-2019-14798 22 Dir. Trav. File Inclusion 2019-08-09 2019-08-14
4.0
None Remote Low Single system Partial None None
The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter.
6 CVE-2019-14312 22 Dir. Trav. File Inclusion 2019-08-09 2019-08-19
4.0
None Remote Low Single system Partial None None
Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI.
7 CVE-2019-14277 611 Exec Code File Inclusion 2019-07-26 2019-10-10
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API. This vulnerability can lead to local file disclosure, DoS, or URI invocation attacks (i.e., SSRF with resultant remote code execution). NOTE: The vendor disputes this issues as not being a vulnerability because ?All attacks that use external entities are blocked (no external DTD or file inclusions, no SSRF). The impact on confidentiality, integrity and availability is not proved on any version.?
8 CVE-2019-14205 200 +Info File Inclusion 2019-07-21 2019-07-31
5.0
None Remote Low Not required Partial None None
A Local File Inclusion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to retrieve arbitrary files via the $REQUEST['adaptive-images-settings']['source_file'] parameter in adaptive-images-script.php.
9 CVE-2019-13396 22 Dir. Trav. File Inclusion 2019-07-10 2019-07-17
5.0
None Remote Low Not required Partial None None
FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit POST request because of an include_once in system_handle_form_submit in modules/system/system.module.
10 CVE-2019-13237 200 +Info File Inclusion 2019-08-27 2019-09-02
4.0
None Remote Low Single system Partial None None
In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.
11 CVE-2019-13063 22 Dir. Trav. File Inclusion 2019-09-23 2019-09-23
5.0
None Remote Low Not required Partial None None
Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to include any victim files on the system via the script parameter on the Script_view page. This will result in file disclosure (i.e., being able to pull any file from the remote victim application). This can be used to steal and obtain sensitive config and other files. This can result in complete compromise of the application. The script parameter is vulnerable to directory traversal and both local and remote file inclusion.
12 CVE-2019-12593 22 Dir. Trav. File Inclusion 2019-06-03 2019-06-04
5.0
None Remote Low Not required Partial None None
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
13 CVE-2019-12464 22 Exec Code Dir. Trav. File Inclusion 2019-09-09 2019-09-10
6.0
None Remote Medium Single system Partial Partial Partial
An issue was discovered in LibreNMS 1.50.1. An authenticated user can perform a directory traversal attack against the /pdf.php file with a partial filename in the report parameter, to cause local file inclusion resulting in code execution.
14 CVE-2019-12314 22 Dir. Trav. File Inclusion 2019-05-24 2019-05-28
7.5
None Remote Low Not required Partial Partial Partial
Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//etc/passwd URI.
15 CVE-2019-11591 352 Dir. Trav. CSRF File Inclusion 2019-04-29 2019-08-22
6.8
None Remote Medium Not required Partial Partial Partial
The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
16 CVE-2019-11590 352 Dir. Trav. CSRF File Inclusion 2019-04-29 2019-05-03
6.8
None Remote Medium Not required Partial Partial Partial
The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
17 CVE-2019-11557 352 Dir. Trav. CSRF File Inclusion 2019-04-26 2019-08-22
6.8
None Remote Medium Not required Partial Partial Partial
The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
18 CVE-2019-11537 79 XSS File Inclusion 2019-04-25 2019-05-07
4.3
None Remote Medium Not required None Partial None
In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message. The XSS can lead to local file inclusion.
19 CVE-2019-11397 22 Dir. Trav. File Inclusion 2019-05-14 2019-05-16
4.0
None Remote Low Single system Partial None None
GetFile.aspx in Rapid4 RapidFlows Enterprise Application Builder 4.5M.23 (when used with .NET Framework 4.5) allows Local File Inclusion via the FileDesc parameter.
20 CVE-2019-11327 22 Dir. Trav. File Inclusion 2019-09-20 2019-09-23
4.0
None Remote Low Single system Partial None None
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product has a local file inclusion vulnerability. An attacker with administrative privileges can craft a special URL to read arbitrary files from the device's files system.
21 CVE-2019-9618 77 File Inclusion 2019-05-13 2019-08-22
7.5
None Remote Low Not required Partial Partial Partial
The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.
22 CVE-2019-8385 22 Exec Code Dir. Trav. File Inclusion 2019-06-05 2019-06-06
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.358. An unauthenticated directory traversal and local file inclusion vulnerability in the ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe allows a remote attacker to list or enumerate sensitive contents of files via a \.. to port 6677. Additionally, this could allow for privilege escalation by dumping the affected machine's SAM and SYSTEM database files, as well as remote code execution.
23 CVE-2019-7387 22 Dir. Trav. File Inclusion 2019-02-04 2019-05-08
4.0
None Remote Low Single system Partial None None
A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal via the name parameter.
24 CVE-2019-7254 264 File Inclusion 2019-07-02 2019-07-05
9.0
None Remote Low Single system Complete Complete Complete
Linear eMerge E3-Series devices allow File Inclusion.
25 CVE-2019-6714 22 Exec Code Dir. Trav. File Inclusion 2019-03-21 2019-06-18
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause unauthenticated users to load a PostView.ascx component from a potentially untrusted location on the local filesystem. This is especially dangerous if an authenticated user uploads a PostView.ascx file using the file manager utility, which is currently allowed. This results in remote code execution for an authenticated user.
26 CVE-2019-4263 200 +Info File Inclusion 2019-07-11 2019-10-09
4.0
None Remote Low Single system Partial None None
IBM Content Navigator 3.0CD is vulnerable to local file inclusion, allowing an attacker to access a configuration file in the ICN server. IBM X-Force ID: 160015.
27 CVE-2018-20985 20 File Inclusion 2019-08-22 2019-08-26
7.5
None Remote Low Not required Partial Partial Partial
The wp-payeezy-pay plugin before 2.98 for WordPress has local file inclusion in pay.php, donate.php, donate-rec, and pay-rec.
28 CVE-2018-20973 20 File Inclusion 2019-08-16 2019-08-21
7.5
None Remote Low Not required Partial Partial Partial
The companion-auto-update plugin before 3.2.1 for WordPress has local file inclusion.
29 CVE-2018-18863 22 Dir. Trav. File Inclusion 2019-06-19 2019-06-19
4.0
None Remote Low Single system Partial None None
NGA ResourceLink 20.0.2.1 allows local file inclusion.
30 CVE-2018-14886 264 File Inclusion 2019-06-28 2019-07-05
4.0
None Remote Low Single system Partial None None
The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.
31 CVE-2017-9376 20 File Inclusion 2019-03-25 2019-04-02
5.0
None Remote Low Not required Partial None None
ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do.
32 CVE-2016-10991 20 File Inclusion 2019-09-17 2019-09-18
5.0
None Remote Low Not required Partial None None
The imdb-widget plugin before 1.0.9 for WordPress has Local File Inclusion.
33 CVE-2016-10956 20 File Inclusion 2019-09-16 2019-09-16
5.0
None Remote Low Not required Partial None None
The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.
34 CVE-2015-9415 20 File Inclusion 2019-09-25 2019-09-27
5.0
None Remote Low Not required None Partial None
The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.
35 CVE-2015-6461 20 File Inclusion 2019-03-21 2019-10-09
5.5
None Remote Low Single system Partial Partial None
Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC web server, which, when launched, will result in the browser redirecting to a remote file via a Java script loaded with the web page.
36 CVE-2014-10384 20 File Inclusion 2019-08-22 2019-08-26
7.5
None Remote Low Not required Partial Partial Partial
The memphis-documents-library plugin before 3.0 for WordPress has Local File Inclusion.
37 CVE-2014-10383 20 File Inclusion 2019-08-22 2019-08-26
7.5
None Remote Low Not required Partial Partial Partial
The memphis-documents-library plugin before 3.0 for WordPress has Remote File Inclusion.
38 CVE-2014-9186 20 Exec Code File Inclusion 2019-04-08 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
39 CVE-2013-7483 20 File Inclusion 2019-08-22 2019-08-29
7.5
None Remote Low Not required Partial Partial Partial
The slidedeck2 plugin before 2.3.5 for WordPress has file inclusion.
Total number of vulnerabilities : 39   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.