SimpGB 1.46.02 stores sensitive information under the web root with insufficient access control, which allows remote attackers to (1) obtain sensitive configuration information via a direct request for admin/cfginfo.php; and (2) download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc.
Max CVSS
5.0
EPSS Score
0.63%
Published
2007-09-27
Updated
2018-10-15
SimpGB 1.46.02 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php or (2) a direct request to admin/trailer.php, which reveals the path in various error messages.
Max CVSS
4.3
EPSS Score
0.61%
Published
2007-09-27
Updated
2018-10-15
2 vulnerabilities found