CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2022(File Inclusion)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-44786 File Inclusion 2022-11-21 2022-11-23
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET requests to each application.
2 CVE-2022-44784 File Inclusion 2022-11-21 2022-11-23
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications LFS and DL229 expose a set of services provided by the Axis 1.4 instance, embedded directly into the applications, as hinted by the WEB-INF/web.xml file leaked through Local File Inclusion. Among the exposed services, there is the Axis AdminService, which, through the default configuration, should normally be accessible only by the localhost. Nevertheless, by trying to access the mentioned service, both in LFS and DL229, the service can actually be reached even by remote users, allowing creation of arbitrary services on the server side. When an attacker can reach the AdminService, they can use it to instantiate arbitrary services on the server. The exploit procedure is well known and described in Generic AXIS-SSRF exploitation. Basically, the attack consists of writing a JSP page inside the root directory of the web application, through the org.apache.axis.handlers.LogHandler class.
3 CVE-2022-42234 552 File Inclusion 2022-10-14 2022-10-17
0.0
None ??? ??? ??? ??? ??? ???
There is a file inclusion vulnerability in the template management module in UCMS 1.6
4 CVE-2022-42029 434 File Inclusion 2022-10-17 2022-10-19
0.0
None ??? ??? ??? ??? ??? ???
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.
5 CVE-2022-41571 File Inclusion 2022-09-27 2022-09-28
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Local file inclusion can occur.
6 CVE-2022-41547 File Inclusion 2022-10-18 2022-10-20
0.0
None ??? ??? ??? ??? ??? ???
Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.
7 CVE-2022-41343 552 File Inclusion 2022-09-25 2022-11-21
0.0
None ??? ??? ??? ??? ??? ???
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
8 CVE-2022-40742 22 Dir. Trav. File Inclusion 2022-10-31 2022-11-01
0.0
None ??? ??? ??? ??? ??? ???
Mail SQR Expert system has a Local File Inclusion vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary PHP file with .asp file extension under specific system paths, to access and modify partial system information but does not affect service availability.
9 CVE-2022-40089 Exec Code File Inclusion 2022-09-22 2022-09-26
0.0
None ??? ??? ??? ??? ??? ???
A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set to On.
10 CVE-2022-39838 22 Dir. Trav. File Inclusion 2022-09-05 2022-09-09
0.0
None ??? ??? ??? ??? ??? ???
Systematic FIX Adapter (ALFAFX) 2.4.0.25 13/09/2017 allows remote file inclusion via a UNC share pathname, and also allows absolute path traversal to local pathnames.
11 CVE-2022-38258 668 DoS File Inclusion 2022-09-08 2022-09-15
0.0
None ??? ??? ??? ??? ??? ???
A local file inclusion (LFI) vulnerability in D-Link DIR 819 v1.06 allows attackers to cause a Denial of Service (DoS) or access sensitive server information via manipulation of the getpage parameter in a crafted web request.
12 CVE-2022-34121 829 File Inclusion 2022-07-27 2022-08-04
0.0
None ??? ??? ??? ??? ??? ???
Cuppa CMS v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the component /templates/default/html/windows/right.php.
13 CVE-2022-34002 22 Dir. Trav. File Inclusion 2022-09-16 2022-09-19
0.0
None ??? ??? ??? ??? ??? ???
The ‘document’ parameter of PDS Vista 7’s /application/documents/display.aspx page is vulnerable to a Local File Inclusion vulnerability which allows an low-privileged authenticated attacker to leak the configuration files and source code of the web application.
14 CVE-2022-32409 94 Exec Code File Inclusion 2022-07-14 2022-07-20
0.0
None ??? ??? ??? ??? ??? ???
A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request.
15 CVE-2022-29597 22 Dir. Trav. File Inclusion 2022-06-02 2022-06-12
4.0
None Remote Low ??? Partial None None
Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to Local File Inclusion (LFI). Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the file contents of the internal system file requested. This ability could allow for adversaries to extract sensitive data and/or files from the underlying file system, gain knowledge about the internal workings of the system, or access source code of the application.
16 CVE-2022-29448 706 File Inclusion 2022-05-20 2022-05-26
4.0
None Remote Low ??? Partial None None
Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress.
17 CVE-2022-29447 552 File Inclusion 2022-05-20 2022-06-02
4.0
None Remote Low ??? Partial None None
Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Hover Effects plugin <= 2.1 at WordPress.
18 CVE-2022-29446 552 File Inclusion 2022-05-19 2022-05-26
4.0
None Remote Low ??? Partial None None
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Counter Box plugin <= 1.1.1 at WordPress.
19 CVE-2022-29445 706 File Inclusion 2022-05-18 2022-05-26
6.5
None Remote Low ??? Partial Partial Partial
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at WordPress.
20 CVE-2022-29014 File Inclusion 2022-06-09 2022-06-17
5.0
None Remote Low Not required Partial None None
A local file inclusion vulnerability in Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to read arbitrary files.
21 CVE-2022-28997 918 File Inclusion 2022-05-23 2022-06-03
5.0
None Remote Low Not required Partial None None
CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forgery (SSRF) which can be leveraged to leak sensitive data via a local file inclusion at /admin/filemanager/connector/.
22 CVE-2022-28741 20 File Inclusion 2022-09-09 2022-09-14
0.0
None ??? ??? ??? ??? ??? ???
aEnrich a+HRD 5.x Learning Management Key Performance Indicator System has a local file inclusion (LFI) vulnerability that occurs due to missing input validation in v5.x
23 CVE-2022-28521 File Inclusion 2022-04-26 2022-05-04
7.5
None Remote Low Not required Partial Partial Partial
ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config.
24 CVE-2022-28093 Exec Code File Inclusion 2022-04-25 2022-05-05
7.5
None Remote Low Not required Partial Partial Partial
SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a local file inclusion vulnerability which allow attackers to execute arbitrary code via a crafted PHP file.
25 CVE-2022-27257 668 File Inclusion 2022-04-15 2022-04-22
5.0
None Remote Low Not required Partial None None
A PHP Local File Inclusion vulneraility in the default Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter.
26 CVE-2022-27256 601 File Inclusion 2022-04-13 2022-04-20
5.8
None Remote Medium Not required Partial Partial None
A PHP Local File inclusion vulnerability in the Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter.
27 CVE-2022-27243 File Inclusion 2022-03-18 2022-03-25
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in MISP before 2.4.156. app/View/Users/terms.ctp allows Local File Inclusion via the custom terms file setting.
28 CVE-2022-26646 File Inclusion 2022-03-30 2022-04-05
7.5
None Remote Low Not required Partial Partial Partial
Online Banking System Protect v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the pages parameter.
29 CVE-2022-25486 829 File Inclusion 2022-03-15 2022-10-27
6.8
None Remote Medium Not required Partial Partial Partial
CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php.
30 CVE-2022-25485 829 File Inclusion 2022-03-15 2022-03-23
6.8
None Remote Medium Not required Partial Partial Partial
CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertLightbox.php.
31 CVE-2022-24232 829 Exec Code File Inclusion 2022-02-24 2022-03-03
6.8
None Remote Medium Not required Partial Partial Partial
A local file inclusion in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.
32 CVE-2022-23377 552 File Inclusion 2022-03-01 2022-03-08
5.0
None Remote Low Not required Partial None None
Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files.
33 CVE-2022-23166 22 Dir. Trav. File Inclusion 2022-05-12 2022-05-23
10.0
None Remote Low Not required Complete Complete Complete
Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version.
34 CVE-2022-22847 File Inclusion 2022-01-10 2022-01-18
6.8
None Remote Medium Not required Partial Partial Partial
Formpipe Lasernet before 9.13.3 allows file inclusion in Client Web Services (either by an authenticated attacker, or in a configuration that does not require authentication).
35 CVE-2022-22793 File Inclusion 2022-02-24 2022-10-07
5.0
None Remote Low Not required Partial None None
Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server.
36 CVE-2022-22246 829 File Inclusion 2022-10-18 2022-10-20
0.0
None ??? ??? ??? ??? ??? ???
A PHP Local File Inclusion (LFI) vulnerability in the J-Web component of Juniper Networks Junos OS may allow a low-privileged authenticated attacker to execute an untrusted PHP file. By chaining this vulnerability with other unspecified vulnerabilities, and by circumventing existing attack requirements, successful exploitation could lead to a complete system compromise. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S6; 19.4 versions prior to 19.4R2-S7, 19.4R3-S8; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.
37 CVE-2022-3361 22 Exec Code Dir. Trav. File Inclusion 2022-11-29 2022-12-01
0.0
None ??? ??? ??? ??? ??? ???
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users.
38 CVE-2022-2261 22 Dir. Trav. File Inclusion 2022-08-29 2022-09-01
0.0
None ??? ??? ??? ??? ??? ???
The WPIDE WordPress plugin before 3.0 does not sanitize and validate the filename parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue.
39 CVE-2022-1657 22 Dir. Trav. File Inclusion 2022-06-13 2022-06-21
6.5
None Remote Low ??? Partial Partial Partial
Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.
40 CVE-2022-1560 22 Dir. Trav. File Inclusion 2022-05-16 2022-10-14
4.3
None Remote Medium Not required Partial None None
The Amministrazione Aperta WordPress plugin before 3.8 does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue. The original advisory mentions that unauthenticated users can exploit this, however the affected file generates a fatal error when accessed directly and the affected code is not reached. The issue can be exploited via the dashboard when logged in as an admin, or by making a logged in admin open a malicious link
41 CVE-2022-1392 22 Dir. Trav. File Inclusion 2022-04-25 2022-05-04
5.0
None Remote Low Not required Partial None None
The Videos sync PDF WordPress plugin through 1.7.4 does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues
42 CVE-2022-1391 22 Dir. Trav. File Inclusion 2022-04-25 2022-11-09
7.5
None Remote Low Not required Partial Partial Partial
The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.
43 CVE-2022-0320 22 Dir. Trav. File Inclusion 2022-02-01 2022-02-04
7.5
None Remote Low Not required Partial Partial Partial
The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.
44 CVE-2021-46381 22 Dir. Trav. File Inclusion 2022-03-04 2022-05-12
5.0
None Remote Low Not required Partial None None
Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].
45 CVE-2021-45898 File Inclusion 2022-01-28 2022-02-02
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
46 CVE-2021-26633 89 Sql +Info File Inclusion 2022-06-02 2022-06-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection and Local File Inclusion (LFI) vulnerabilities in MaxBoard can cause information leakage and privilege escalation. This vulnerabilities can be exploited by manipulating a variable with a desired value and inserting and arbitrary file.
47 CVE-2021-25082 22 Dir. Trav. File Inclusion 2022-02-21 2022-02-28
6.5
None Remote Low ??? Partial Partial Partial
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
48 CVE-2021-24825 345 Exec Code File Inclusion 2022-03-07 2022-04-12
4.0
None Remote Low ??? Partial None None
The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display arbitrary files from the filesystem (such as logs, .htaccess etc), as well as perform Local File Inclusion attacks as PHP files will be executed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when either the unfiltered_html or file_edit is disallowed)
49 CVE-2021-24820 22 Dir. Trav. File Inclusion 2022-02-28 2022-03-07
4.0
None Remote Low ??? Partial None None
The Cost Calculator WordPress plugin through 1.6 allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions <= 1.6) to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout
50 CVE-2020-19896 Exec Code File Inclusion 2022-06-28 2022-07-08
7.5
None Remote Low Not required Partial Partial Partial
File inclusion vulnerability in Minicms v1.9 allows remote attackers to execute arbitary PHP code via post-edit.php.
Total number of vulnerabilities : 50   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.