# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2021-43693 |
|
|
File Inclusion |
2021-11-29 |
2021-11-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
vesta 0.9.8-24 is affected by a file inclusion vulnerability in file web/add/user/index.php. |
2 |
CVE-2021-41569 |
829 |
|
File Inclusion |
2021-11-19 |
2022-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS. |
3 |
CVE-2021-41277 |
20 |
|
File Inclusion |
2021-11-17 |
2021-11-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application. |
4 |
CVE-2021-40651 |
22 |
|
Dir. Trav. File Inclusion |
2021-09-29 |
2021-10-07 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file. |
5 |
CVE-2021-40095 |
|
|
File Inclusion |
2021-12-07 |
2021-12-07 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
An issue was discovered in SquaredUp for SCOM 5.2.1.6654. The Download Log feature in System / Maintenance was susceptible to a local file inclusion vulnerability (when processing remote input in the log files downloaded by an authenticated administrator user), leading to the ability to read arbitrary files on the server filesystems. |
6 |
CVE-2021-39433 |
|
|
File Inclusion |
2021-10-04 |
2021-10-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user. |
7 |
CVE-2021-38360 |
829 |
|
Exec Code File Inclusion |
2021-09-10 |
2021-09-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The wp-publications WordPress plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution, in versions up to and including 0.0. |
8 |
CVE-2021-37348 |
552 |
|
File Inclusion |
2021-08-13 |
2021-08-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php. |
9 |
CVE-2021-36123 |
|
|
File Inclusion |
2021-07-13 |
2021-07-15 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
An issue was discovered in Echo ShareCare 8.15.5. The TextReader feature in General/TextReader/TextReader.cfm is susceptible to a local file inclusion vulnerability when processing remote input in the textFile parameter from an authenticated user, leading to the ability to read arbitrary files on the server filesystems as well any files accessible via Universal Naming Convention (UNC) paths. |
10 |
CVE-2021-33408 |
319 |
|
File Inclusion |
2021-05-27 |
2021-06-08 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitrary files. Fixed in v4.0.2.6 and v4.0.3.1. |
11 |
CVE-2021-32100 |
|
|
File Inclusion |
2021-05-07 |
2021-05-14 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user. |
12 |
CVE-2021-31783 |
345 |
|
File Inclusion |
2021-04-26 |
2021-05-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check. |
13 |
CVE-2021-31599 |
434 |
|
File Inclusion |
2021-11-08 |
2021-11-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code. |
14 |
CVE-2021-30173 |
36 |
|
File Inclusion |
2021-05-07 |
2021-05-18 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
Local File Inclusion vulnerability of the omni-directional communication system allows remote authenticated attacker inject absolute path into Url parameter and access arbitrary file. |
15 |
CVE-2021-30121 |
829 |
|
File Inclusion |
2021-07-09 |
2022-04-29 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118 |
16 |
CVE-2021-29113 |
94 |
|
File Inclusion |
2021-12-07 |
2022-03-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page. |
17 |
CVE-2021-27341 |
22 |
|
Dir. Trav. File Inclusion |
2021-09-16 |
2021-09-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filename" parameter. |
18 |
CVE-2021-27236 |
668 |
|
Exec Code File Inclusion |
2021-02-16 |
2022-05-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. getfile.asp allows Unauthenticated Local File Inclusion, which can be leveraged to achieve Remote Code Execution. |
19 |
CVE-2021-25447 |
287 |
|
File Inclusion |
2021-08-05 |
2021-08-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause local file inclusion in webview. |
20 |
CVE-2021-25438 |
863 |
|
File Inclusion |
2021-07-08 |
2021-07-12 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause local file inclusion in webview. |
21 |
CVE-2021-24970 |
22 |
|
Dir. Trav. File Inclusion |
2021-12-13 |
2021-12-16 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue |
22 |
CVE-2021-24644 |
22 |
|
Dir. Trav. File Inclusion |
2021-11-23 |
2021-11-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue |
23 |
CVE-2021-24472 |
918 |
|
File Inclusion |
2021-08-02 |
2021-08-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website. |
24 |
CVE-2021-24453 |
22 |
|
Exec Code Dir. Trav. File Inclusion |
2021-07-19 |
2021-09-20 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
The Include Me WordPress plugin through 1.2.1 is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure |
25 |
CVE-2021-24447 |
22 |
|
Dir. Trav. File Inclusion |
2021-07-19 |
2021-07-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The WP Image Zoom WordPress plugin before 1.47 did not validate its tab parameter before using it in the include_once() function, leading to a local file inclusion issue in the admin dashboard |
26 |
CVE-2021-24242 |
22 |
|
Dir. Trav. File Inclusion |
2021-04-22 |
2021-04-30 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php file |
27 |
CVE-2021-23340 |
22 |
|
Dir. Trav. File Inclusion |
2021-02-18 |
2021-02-25 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this function with a GET request at the following endpoint: /admin/reports/custom-report/download-csv?exportFile=&91;filename]. Since exportFile variable is not sanitized, an attacker can exploit a local file inclusion vulnerability. |
28 |
CVE-2021-21907 |
22 |
|
Dir. Trav. File Inclusion |
2021-12-22 |
2022-04-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
A directory traversal vulnerability exists in the CMA CLI getenv command functionality of Garrett Metal Detectors’ iC Module CMA Version 5.0. A specially-crafted command line argument can lead to local file inclusion. An attacker can provide malicious input to trigger this vulnerability. |
29 |
CVE-2021-21885 |
22 |
|
Dir. Trav. File Inclusion |
2021-12-22 |
2022-04-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
A directory traversal vulnerability exists in the Web Manager FsMove functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability. |
30 |
CVE-2021-21880 |
22 |
|
Dir. Trav. File Inclusion |
2021-12-22 |
2022-04-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
A directory traversal vulnerability exists in the Web Manager FsCopyFile functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability. |
31 |
CVE-2021-21878 |
668 |
|
File Inclusion |
2021-12-22 |
2022-04-28 |
6.8 |
None |
Remote |
Low |
??? |
Complete |
None |
None |
A local file inclusion vulnerability exists in the Web Manager Applications and FsBrowse functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted series of HTTP requests can lead to local file inclusion. An attacker can make a series of authenticated HTTP requests to trigger this vulnerability. |
32 |
CVE-2021-21804 |
829 |
|
Exec Code File Inclusion |
2021-07-16 |
2022-04-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability. |
33 |
CVE-2021-20124 |
668 |
|
File Inclusion |
2021-10-13 |
2021-10-19 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. |
34 |
CVE-2021-20123 |
668 |
|
File Inclusion |
2021-10-13 |
2021-10-19 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. |
35 |
CVE-2020-35942 |
352 |
|
Exec Code XSS Bypass CSRF File Inclusion |
2021-02-09 |
2021-07-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.) |
36 |
CVE-2020-35580 |
522 |
|
File Inclusion |
2021-05-20 |
2021-05-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users. |
37 |
CVE-2020-35566 |
706 |
|
File Inclusion |
2021-02-16 |
2021-02-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An attacker can read arbitrary JSON files via Local File Inclusion. |
38 |
CVE-2020-35340 |
552 |
|
File Inclusion |
2021-09-15 |
2021-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
A local file inclusion vulnerability in ExpertPDF 9.5.0 through 14.1.0 allows attackers to read the file contents from files that the running ExpertPDF process has access to read. |
39 |
CVE-2020-25414 |
94 |
|
Exec Code File Inclusion |
2021-06-17 |
2021-06-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code. |
40 |
CVE-2020-23996 |
|
|
Exec Code File Inclusion |
2021-05-13 |
2021-05-21 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data. |
41 |
CVE-2020-23161 |
22 |
|
Dir. Trav. File Inclusion |
2021-01-26 |
2021-03-30 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
Local file inclusion in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to traverse directories and read sensitive files via the Maintenance > Logs menu and manipulating the file-path in the URL. |
42 |
CVE-2020-22474 |
732 |
|
File Inclusion |
2021-02-22 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
In webERP 4.15, the ManualContents.php file allows users to specify the "Language" parameter, which can lead to local file inclusion. |
43 |
CVE-2020-21786 |
434 |
|
File Inclusion |
2021-06-24 |
2021-07-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
In IBOS 4.5.4 Open, Arbitrary File Inclusion causes getshell via /system/modules/dashboard/controllers/CronController.php. |
44 |
CVE-2020-19360 |
200 |
|
+Info File Inclusion |
2021-01-20 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Local file inclusion in FHEM 6.0 allows in fhem/FileLog_logWrapper file parameter can allow an attacker to include a file, which can lead to sensitive information disclosure. |
45 |
CVE-2020-13550 |
22 |
|
Dir. Trav. File Inclusion |
2021-02-17 |
2022-06-29 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
A local file inclusion vulnerability exists in the installation functionality of Advantech WebAccess/SCADA 9.0.1. A specially crafted application can lead to information disclosure. An attacker can send an authenticated HTTP request to trigger this vulnerability. |
46 |
CVE-2017-17674 |
918 |
|
Exec Code File Inclusion |
2021-05-19 |
2021-05-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE). |