| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2023-27894 |
200 |
|
Bypass +Info File Inclusion |
2023-03-14 |
2023-03-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to execute malicious requests, resulting in sensitive information disclosure. This causes limited impact on confidentiality of data. |
|
2 |
CVE-2023-26038 |
426 |
|
File Inclusion |
2023-02-25 |
2023-03-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33. |
|
3 |
CVE-2023-26036 |
426 |
|
File Inclusion |
2023-02-25 |
2023-03-07 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath, however dentaintPath does not properly sandbox the path. This can be exploited by constructing paths like "..././", which get replaced by "../". This issue is patched in versions 1.36.33 and 1.37.33. |
|
4 |
CVE-2023-25260 |
|
|
File Inclusion |
2023-03-28 |
2023-03-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Local File Inclusion. |
|
5 |
CVE-2023-24217 |
|
|
File Inclusion |
2023-03-06 |
2023-03-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability. |
|
6 |
CVE-2023-24202 |
434 |
|
File Inclusion |
2023-02-06 |
2023-02-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Raffle Draw System v1.0 was discovered to contain a local file inclusion vulnerability via the page parameter in index.php. |
|
7 |
CVE-2023-23330 |
|
|
File Inclusion |
2023-03-28 |
2023-03-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
amano Xparc parking solutions 7.1.3879 was discovered to be vulnerable to local file inclusion. |
|
8 |
CVE-2023-22973 |
22 |
|
Exec Code Dir. Trav. File Inclusion |
2023-02-22 |
2023-03-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A Local File Inclusion (LFI) vulnerability in interface/forms/LBF/new.php in OpenEMR < 7.0.0 allows remote authenticated users to execute code via the formname parameter. |
|
9 |
CVE-2023-20064 |
862 |
|
File Inclusion |
2023-03-09 |
2023-03-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A vulnerability in the GRand Unified Bootloader (GRUB) for Cisco IOS XR Software could allow an unauthenticated attacker with physical access to the device to view sensitive files on the console using the GRUB bootloader command line. This vulnerability is due to the inclusion of unnecessary commands within the GRUB environment that allow sensitive files to be viewed. An attacker could exploit this vulnerability by being connected to the console port of the Cisco IOS XR device when the device is power-cycled. A successful exploit could allow the attacker to view sensitive files that could be used to conduct additional attacks against the device. |
|
10 |
CVE-2023-0467 |
22 |
|
Dir. Trav. File Inclusion |
2023-03-27 |
2023-03-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The WP Dark Mode WordPress plugin before 4.0.8 does not properly sanitize the style parameter in shortcodes before using it to load a PHP template. This leads to Local File Inclusion on servers where non-existent directories may be traversed, or when chained with another vulnerability allowing arbitrary directory creation. |
|
11 |
CVE-2022-47945 |
|
|
Exec Code File Inclusion |
2022-12-23 |
2022-12-30 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php. |
|
12 |
CVE-2022-47615 |
434 |
|
File Inclusion |
2023-01-26 |
2023-02-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions. |
|
13 |
CVE-2022-45867 |
22 |
|
Dir. Trav. File Inclusion |
2023-01-03 |
2023-01-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution. |
|
14 |
CVE-2022-45088 |
20 |
|
File Inclusion |
2023-02-12 |
2023-03-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows PHP Local File Inclusion.This issue affects Smartpower Web: before 23.01.01. |
|
15 |
CVE-2022-45052 |
552 |
|
File Inclusion |
2023-01-04 |
2023-01-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A Local File Inclusion vulnerability has been found in Axiell Iguana CMS. Due to insufficient neutralisation of user input on the url parameter on the Proxy.type.php endpoint, external users are capable of accessing files on the server. |
|
16 |
CVE-2022-44786 |
|
|
File Inclusion |
2022-11-21 |
2022-11-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET requests to each application. |
|
17 |
CVE-2022-44784 |
|
|
File Inclusion |
2022-11-21 |
2022-11-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications LFS and DL229 expose a set of services provided by the Axis 1.4 instance, embedded directly into the applications, as hinted by the WEB-INF/web.xml file leaked through Local File Inclusion. Among the exposed services, there is the Axis AdminService, which, through the default configuration, should normally be accessible only by the localhost. Nevertheless, by trying to access the mentioned service, both in LFS and DL229, the service can actually be reached even by remote users, allowing creation of arbitrary services on the server side. When an attacker can reach the AdminService, they can use it to instantiate arbitrary services on the server. The exploit procedure is well known and described in Generic AXIS-SSRF exploitation. Basically, the attack consists of writing a JSP page inside the root directory of the web application, through the org.apache.axis.handlers.LogHandler class. |
|
18 |
CVE-2022-43979 |
22 |
|
Exec Code Dir. Trav. File Inclusion |
2023-01-27 |
2023-02-06 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a Path Traversal that leads to a Local File Inclusion in Pandora FMS v764. A function is called to check that the parameter that the user has inserted does not contain malicious characteres, but this check is insufficient. An attacker could insert an absolute path to overcome the heck, thus being able to incluse any PHP file that resides on the disk. The exploitation of this vulnerability could lead to a remote code execution. |
|
19 |
CVE-2022-42234 |
552 |
|
File Inclusion |
2022-10-14 |
2022-10-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
There is a file inclusion vulnerability in the template management module in UCMS 1.6 |
|
20 |
CVE-2022-42029 |
434 |
|
File Inclusion |
2022-10-17 |
2022-10-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory. |
|
21 |
CVE-2022-41571 |
|
|
File Inclusion |
2022-09-27 |
2022-09-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Local file inclusion can occur. |
|
22 |
CVE-2022-41547 |
|
|
File Inclusion |
2022-10-18 |
2022-10-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request. |
|
23 |
CVE-2022-41343 |
552 |
|
File Inclusion |
2022-09-25 |
2022-11-21 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule. |
|
24 |
CVE-2022-41216 |
22 |
|
Dir. Trav. File Inclusion |
2023-02-22 |
2023-03-02 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Local File Inclusion vulnerability within Cloudflow allows attackers to retrieve confidential information from the system. |
|
25 |
CVE-2022-40742 |
22 |
|
Dir. Trav. File Inclusion |
2022-10-31 |
2022-11-01 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Mail SQR Expert system has a Local File Inclusion vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary PHP file with .asp file extension under specific system paths, to access and modify partial system information but does not affect service availability. |
|
26 |
CVE-2022-40089 |
|
|
Exec Code File Inclusion |
2022-09-22 |
2022-09-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set to On. |
|
27 |
CVE-2022-39838 |
22 |
|
Dir. Trav. File Inclusion |
2022-09-05 |
2022-09-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Systematic FIX Adapter (ALFAFX) 2.4.0.25 13/09/2017 allows remote file inclusion via a UNC share pathname, and also allows absolute path traversal to local pathnames. |
|
28 |
CVE-2022-38258 |
668 |
|
DoS File Inclusion |
2022-09-08 |
2023-02-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A local file inclusion (LFI) vulnerability in D-Link DIR 819 v1.06 allows attackers to cause a Denial of Service (DoS) or access sensitive server information via manipulation of the getpage parameter in a crafted web request. |
|
29 |
CVE-2022-34121 |
829 |
|
File Inclusion |
2022-07-27 |
2022-08-04 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Cuppa CMS v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the component /templates/default/html/windows/right.php. |
|
30 |
CVE-2022-34002 |
22 |
|
Dir. Trav. File Inclusion |
2022-09-16 |
2022-09-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The ‘document’ parameter of PDS Vista 7’s /application/documents/display.aspx page is vulnerable to a Local File Inclusion vulnerability which allows an low-privileged authenticated attacker to leak the configuration files and source code of the web application. |
|
31 |
CVE-2022-32409 |
94 |
|
Exec Code File Inclusion |
2022-07-14 |
2022-07-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request. |
|
32 |
CVE-2022-30037 |
829 |
|
Exec Code File Inclusion |
2023-03-23 |
2023-03-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
XunRuiCMS v4.3.3 to v4.5.1 vulnerable to PHP file write and CMS PHP file inclusion, allows attackers to execute arbitrary php code, via the add function in cron.php. |
|
33 |
CVE-2022-29597 |
22 |
|
Dir. Trav. File Inclusion |
2022-06-02 |
2022-06-12 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to Local File Inclusion (LFI). Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the file contents of the internal system file requested. This ability could allow for adversaries to extract sensitive data and/or files from the underlying file system, gain knowledge about the internal workings of the system, or access source code of the application. |
|
34 |
CVE-2022-29448 |
706 |
|
File Inclusion |
2022-05-20 |
2022-05-26 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress. |
|
35 |
CVE-2022-29447 |
552 |
|
File Inclusion |
2022-05-20 |
2022-06-02 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Hover Effects plugin <= 2.1 at WordPress. |
|
36 |
CVE-2022-29446 |
552 |
|
File Inclusion |
2022-05-19 |
2022-05-26 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Counter Box plugin <= 1.1.1 at WordPress. |
|
37 |
CVE-2022-29445 |
706 |
|
File Inclusion |
2022-05-18 |
2022-05-26 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at WordPress. |
|
38 |
CVE-2022-29014 |
|
|
File Inclusion |
2022-06-09 |
2022-06-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A local file inclusion vulnerability in Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to read arbitrary files. |
|
39 |
CVE-2022-28997 |
918 |
|
File Inclusion |
2022-05-23 |
2022-06-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forgery (SSRF) which can be leveraged to leak sensitive data via a local file inclusion at /admin/filemanager/connector/. |
|
40 |
CVE-2022-28741 |
20 |
|
File Inclusion |
2022-09-09 |
2022-09-14 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
aEnrich a+HRD 5.x Learning Management Key Performance Indicator System has a local file inclusion (LFI) vulnerability that occurs due to missing input validation in v5.x |
|
41 |
CVE-2022-28521 |
|
|
File Inclusion |
2022-04-26 |
2022-05-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config. |
|
42 |
CVE-2022-28093 |
|
|
Exec Code File Inclusion |
2022-04-25 |
2022-05-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a local file inclusion vulnerability which allow attackers to execute arbitrary code via a crafted PHP file. |
|
43 |
CVE-2022-27257 |
668 |
|
File Inclusion |
2022-04-15 |
2022-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A PHP Local File Inclusion vulneraility in the default Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter. |
|
44 |
CVE-2022-27256 |
601 |
|
File Inclusion |
2022-04-13 |
2022-04-20 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
A PHP Local File inclusion vulnerability in the Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter. |
|
45 |
CVE-2022-27243 |
|
|
File Inclusion |
2022-03-18 |
2022-03-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting. |
|
46 |
CVE-2022-26646 |
|
|
File Inclusion |
2022-03-30 |
2022-04-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Online Banking System Protect v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the pages parameter. |
|
47 |
CVE-2022-25486 |
829 |
|
File Inclusion |
2022-03-15 |
2022-10-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php. |
|
48 |
CVE-2022-25485 |
829 |
|
File Inclusion |
2022-03-15 |
2022-03-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php. |
|
49 |
CVE-2022-24232 |
829 |
|
Exec Code File Inclusion |
2022-02-24 |
2022-03-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A local file inclusion in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. |
|
50 |
CVE-2022-23536 |
|
|
File Inclusion |
2022-12-19 |
2022-12-27 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API. |
