# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2017-1000192 |
|
|
File Inclusion |
2017-11-17 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Cygnux sysPass version 2.1.7 and older is vulnerable to a Local File Inclusion in the functionality of javascript files inclusion. The attacker can read the configuration files that contain the login and password from the database, private encryption key, as well as other sensitive information. |
2 |
CVE-2017-1000029 |
200 |
|
+Info File Inclusion |
2017-07-17 |
2017-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Local File Inclusion vulnerability, that makes it possible to include arbitrary files on the server, this vulnerability can be exploited without any prior authentication. |
3 |
CVE-2017-15583 |
200 |
|
+Info File Inclusion |
2017-10-18 |
2017-11-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The embedded web server on ABB Fox515T 1.0 devices is vulnerable to Local File Inclusion. It accepts a parameter that specifies a file for display or for use as a template. The filename is not validated; an attacker could retrieve any file. |
4 |
CVE-2017-14509 |
20 |
|
File Inclusion |
2017-09-17 |
2017-12-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&url= query string. Proper input validation has been added to mitigate this issue. |
5 |
CVE-2017-14404 |
200 |
|
+Info File Inclusion |
2017-09-13 |
2021-02-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows local file inclusion via the tool_list parameter (aka the url_tool variable) to module/tool_all/select_tool.php, as demonstrated by a tool_list=php://filter/ substring. |
6 |
CVE-2017-11658 |
22 |
|
Dir. Trav. Bypass File Inclusion |
2017-07-26 |
2017-08-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In the WP Rocket plugin 2.9.3 for WordPress, the Local File Inclusion mitigation technique is to trim traversal characters (..) -- however, this is insufficient to stop remote attacks and can be bypassed by using 0x00 bytes, as demonstrated by a .%00.../.%00.../ attack. |
7 |
CVE-2017-7282 |
200 |
|
+Info File Inclusion |
2017-04-20 |
2017-04-25 |
7.1 |
None |
Remote |
Medium |
Not required |
Complete |
None |
None |
An issue was discovered in Unitrends Enterprise Backup before 9.1.1. The function downloadFile in api/includes/restore.php blindly accepts any filename passed to /api/restore/download as valid. This allows an authenticated attacker to read any file in the filesystem that the web server has access to, aka Local File Inclusion (LFI). |
8 |
CVE-2017-6774 |
552 |
|
File Inclusion |
2017-08-17 |
2019-10-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
A vulnerability in Cisco ASR 5000 Series Aggregated Services Routers running the Cisco StarOS operating system could allow an authenticated, remote attacker to overwrite or modify sensitive system files. The vulnerability is due to the inclusion of sensitive system files within specific FTP subdirectories. An attacker could exploit this vulnerability by overwriting sensitive configuration files through FTP. An exploit could allow the attacker to overwrite configuration files on an affected system. Cisco Bug IDs: CSCvd47739. Known Affected Releases: 21.0.v0.65839. |
9 |
CVE-2017-6325 |
94 |
|
Exec Code File Inclusion |
2017-06-26 |
2017-07-07 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
The Symantec Messaging Gateway can encounter a file inclusion vulnerability, which is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. This file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. |
10 |
CVE-2017-5595 |
200 |
|
+Info File Inclusion |
2017-02-06 |
2017-02-16 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request. |
11 |
CVE-2016-10399 |
538 |
|
File Inclusion |
2017-07-27 |
2017-08-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Sendio versions before 8.2.1 were affected by a Local File Inclusion vulnerability that allowed an unauthenticated, remote attacker to read potentially sensitive system files via a specially crafted URL. |
12 |
CVE-2016-4806 |
200 |
|
+Info File Inclusion |
2017-01-11 |
2017-01-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files. |
13 |
CVE-2015-9227 |
94 |
|
Exec Code File Inclusion |
2017-09-11 |
2017-09-18 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
PHP remote file inclusion vulnerability in the get_file function in upload/admin2/controller/report_logs.php in AlegroCart 1.2.8 allows remote administrators to execute arbitrary PHP code via a URL in the file_path parameter to upload/admin2. |
14 |
CVE-2015-8351 |
94 |
|
Exec Code Dir. Trav. File Inclusion |
2017-09-11 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled. |
15 |
CVE-2015-5070 |
200 |
|
+Info File Inclusion |
2017-09-26 |
2017-10-10 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
The (1) filesystem::get_wml_location function in filesystem.cpp and (2) is_legal_file function in filesystem_boost.cpp in Battle for Wesnoth before 1.12.4 and 1.13.x before 1.13.1, when a case-insensitive filesystem is used, allow remote attackers to obtain sensitive information via vectors related to inclusion of .pbl files from WML. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5069. |
16 |
CVE-2015-5069 |
200 |
|
+Info File Inclusion |
2017-09-26 |
2017-10-10 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
The (1) filesystem::get_wml_location function in filesystem.cpp and (2) is_legal_file function in filesystem_boost.cpp in Battle for Wesnoth before 1.12.3 and 1.13.x before 1.13.1 allow remote attackers to obtain sensitive information via vectors related to inclusion of .pbl files from WML. |
17 |
CVE-2014-8705 |
20 |
|
Exec Code File Inclusion |
2017-03-17 |
2017-03-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
PHP remote file inclusion vulnerability in editInplace.php in Wonder CMS 2014 allows remote attackers to execute arbitrary PHP code via a URL in the hook parameter. |
18 |
CVE-2014-5362 |
20 |
|
File Inclusion |
2017-09-19 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
The admin interface in Landesk Management Suite 9.6 and earlier allows remote attackers to conduct remote file inclusion attacks involving ASPX pages from third-party sites via the d parameter to (1) ldms/sm_actionfrm.asp or (2) remote/frm_coremainfrm.aspx; or the (3) top parameter to remote/frm_splitfrm.aspx. |