CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(File Inclusion)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-19745 434 File Inclusion 2019-12-17 2019-12-18
6.5
None Remote Low ??? Partial Partial Partial
Contao 4.0 through 4.8.5 allows PHP local file inclusion. A back end user with access to the form generator can upload arbitrary files and execute them on the server.
2 CVE-2019-19373 502 Exec Code File Inclusion 2019-12-11 2019-12-19
5.0
None Remote Low Not required Partial None None
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parameter during processing of a Remote Content page type. This unserialization can be used to trigger the inclusion of arbitrary files on the filesystem (local file inclusion), and results in remote code execution.
3 CVE-2019-18665 22 Dir. Trav. File Inclusion 2019-11-02 2019-11-04
5.0
None Remote Low Not required Partial None None
The Log module in SECUDOS DOMOS before 5.6 allows local file inclusion.
4 CVE-2019-17400 918 File Inclusion 2019-10-21 2019-10-23
5.0
None Remote Low Not required Partial None None
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
5 CVE-2019-17108 79 XSS File Inclusion 2019-10-08 2019-10-15
4.3
None Remote Medium Not required None Partial None
Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user.
6 CVE-2019-16679 22 Dir. Trav. File Inclusion 2019-09-21 2019-09-23
4.0
None Remote Low ??? Partial None None
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.
7 CVE-2019-16246 200 Exec Code +Info File Inclusion 2019-12-12 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
8 CVE-2019-15839 22 Dir. Trav. File Inclusion 2019-08-30 2020-08-24
5.0
None Remote Low Not required Partial None None
The sina-extension-for-elementor plugin before 2.2.1 for WordPress has local file inclusion.
9 CVE-2019-15322 File Inclusion 2019-08-22 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
The shortcode-factory plugin before 2.8 for WordPress has Local File Inclusion.
10 CVE-2019-14798 22 Dir. Trav. File Inclusion 2019-08-09 2019-08-14
4.0
None Remote Low ??? Partial None None
The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter.
11 CVE-2019-14424 200 +Info File Inclusion 2019-10-17 2021-07-21
4.0
None Remote Low ??? Partial None None
A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to read sensitive files via a simple HTTP Request.
12 CVE-2019-14312 22 Dir. Trav. File Inclusion 2019-08-09 2019-08-19
4.0
None Remote Low ??? Partial None None
Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI.
13 CVE-2019-14277 611 Exec Code File Inclusion 2019-07-26 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API. This vulnerability can lead to local file disclosure, DoS, or URI invocation attacks (i.e., SSRF with resultant remote code execution). NOTE: The vendor disputes this issues as not being a vulnerability because “All attacks that use external entities are blocked (no external DTD or file inclusions, no SSRF). The impact on confidentiality, integrity and availability is not proved on any version.”
14 CVE-2019-14205 200 +Info File Inclusion 2019-07-21 2021-07-21
5.0
None Remote Low Not required Partial None None
A Local File Inclusion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to retrieve arbitrary files via the $REQUEST['adaptive-images-settings']['source_file'] parameter in adaptive-images-script.php.
15 CVE-2019-13396 22 Dir. Trav. File Inclusion 2019-07-10 2019-07-17
5.0
None Remote Low Not required Partial None None
FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit POST request because of an include_once in system_handle_form_submit in modules/system/system.module.
16 CVE-2019-13237 200 +Info File Inclusion 2019-08-27 2021-07-21
4.0
None Remote Low ??? Partial None None
In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.
17 CVE-2019-13063 22 Dir. Trav. File Inclusion 2019-09-23 2019-09-23
5.0
None Remote Low Not required Partial None None
Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to include any victim files on the system via the script parameter on the Script_view page. This will result in file disclosure (i.e., being able to pull any file from the remote victim application). This can be used to steal and obtain sensitive config and other files. This can result in complete compromise of the application. The script parameter is vulnerable to directory traversal and both local and remote file inclusion.
18 CVE-2019-12593 22 Dir. Trav. File Inclusion 2019-06-03 2019-06-04
5.0
None Remote Low Not required Partial None None
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
19 CVE-2019-12477 22 Dir. Trav. File Inclusion 2019-06-07 2019-06-11
2.1
None Local Low Not required None Partial None
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri= URI.
20 CVE-2019-12464 22 Exec Code Dir. Trav. File Inclusion 2019-09-09 2019-09-10
6.0
None Remote Medium ??? Partial Partial Partial
An issue was discovered in LibreNMS 1.50.1. An authenticated user can perform a directory traversal attack against the /pdf.php file with a partial filename in the report parameter, to cause local file inclusion resulting in code execution.
21 CVE-2019-12314 22 Dir. Trav. File Inclusion 2019-05-24 2019-11-05
7.5
None Remote Low Not required Partial Partial Partial
Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI.
22 CVE-2019-11591 352 Dir. Trav. CSRF File Inclusion 2019-04-29 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
23 CVE-2019-11590 352 Dir. Trav. CSRF File Inclusion 2019-04-29 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
24 CVE-2019-11557 352 Dir. Trav. CSRF File Inclusion 2019-04-26 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
25 CVE-2019-11537 79 XSS File Inclusion 2019-04-25 2019-05-07
4.3
None Remote Medium Not required None Partial None
In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message. The XSS can lead to local file inclusion.
26 CVE-2019-11397 22 Dir. Trav. File Inclusion 2019-05-14 2019-05-16
4.0
None Remote Low ??? Partial None None
GetFile.aspx in Rapid4 RapidFlows Enterprise Application Builder 4.5M.23 (when used with .NET Framework 4.5) allows Local File Inclusion via the FileDesc parameter.
27 CVE-2019-11327 22 Dir. Trav. File Inclusion 2019-09-20 2019-09-23
4.0
None Remote Low ??? Partial None None
An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver devices with firmware 5.2.2. The web interface of the product has a local file inclusion vulnerability. An attacker with administrative privileges can craft a special URL to read arbitrary files from the device's files system.
28 CVE-2019-9889 22 Exec Code Dir. Trav. File Inclusion 2019-03-21 2019-03-26
4.0
None Remote Low ??? Partial None None
In Vanilla before 2.6.4, a flaw exists within the getSingleIndex function of the AddonManager class. The issue results in a require call using a crafted type value, leading to Directory Traversal with File Inclusion. An attacker can leverage this vulnerability to execute code under the context of the web server.
29 CVE-2019-9618 22 Dir. Trav. File Inclusion 2019-05-13 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.
30 CVE-2019-8385 22 Exec Code Dir. Trav. File Inclusion 2019-06-05 2019-06-06
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.358. An unauthenticated directory traversal and local file inclusion vulnerability in the ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe allows a remote attacker to list or enumerate sensitive contents of files via a \.. to port 6677. Additionally, this could allow for privilege escalation by dumping the affected machine's SAM and SYSTEM database files, as well as remote code execution.
31 CVE-2019-8154 829 Exec Code File Inclusion 2019-11-06 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.
32 CVE-2019-7751 22 Exec Code Dir. Trav. File Inclusion 2019-12-31 2020-01-14
5.0
None Remote Low Not required Partial None None
A directory traversal and local file inclusion vulnerability in FPProducerInternetServer.exe in Ricoh MarcomCentral, formerly PTI Marketing, FusionPro VDP before 10.0 allows a remote attacker to list or enumerate sensitive contents of files. Furthermore, this could allow for privilege escalation by dumping the local machine's SAM and SYSTEM database files, and possibly remote code execution.
33 CVE-2019-7387 22 Dir. Trav. File Inclusion 2019-02-04 2019-05-08
4.0
None Remote Low ??? Partial None None
A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. When the export function is called from system/maintenance/export.php, it accepts the path provided by the user, leading to path traversal via the name parameter.
34 CVE-2019-7254 22 Dir. Trav. File Inclusion 2019-07-02 2021-10-04
5.0
None Remote Low Not required Partial None None
Linear eMerge E3-Series devices allow File Inclusion.
35 CVE-2019-6714 22 Exec Code Dir. Trav. File Inclusion 2019-03-21 2019-06-18
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause unauthenticated users to load a PostView.ascx component from a potentially untrusted location on the local filesystem. This is especially dangerous if an authenticated user uploads a PostView.ascx file using the file manager utility, which is currently allowed. This results in remote code execution for an authenticated user.
36 CVE-2019-5151 89 DoS Exec Code Sql File Inclusion 2019-10-31 2019-11-04
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. A specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.
37 CVE-2019-5150 89 DoS Exec Code Sql File Inclusion 2019-10-31 2019-11-06
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. When the "VideoTags" plugin is enabled, a specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.
38 CVE-2019-4263 829 File Inclusion 2019-07-11 2020-08-24
4.0
None Remote Low ??? Partial None None
IBM Content Navigator 3.0CD is vulnerable to local file inclusion, allowing an attacker to access a configuration file in the ICN server. IBM X-Force ID: 160015.
39 CVE-2018-20985 20 File Inclusion 2019-08-22 2019-08-26
7.5
None Remote Low Not required Partial Partial Partial
The wp-payeezy-pay plugin before 2.98 for WordPress has local file inclusion in pay.php, donate.php, donate-rec, and pay-rec.
40 CVE-2018-20973 20 File Inclusion 2019-08-16 2019-08-21
7.5
None Remote Low Not required Partial Partial Partial
The companion-auto-update plugin before 3.2.1 for WordPress has local file inclusion.
41 CVE-2018-20769 22 Dir. Trav. File Inclusion 2019-02-10 2020-08-24
5.0
None Remote Low Not required Partial None None
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. There is a Local File Inclusion vulnerability.
42 CVE-2018-18863 22 Dir. Trav. File Inclusion 2019-06-19 2019-06-19
4.0
None Remote Low ??? Partial None None
NGA ResourceLink 20.0.2.1 allows local file inclusion.
43 CVE-2018-14886 732 File Inclusion 2019-06-28 2020-08-24
4.0
None Remote Low ??? Partial None None
The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.
44 CVE-2017-9376 20 File Inclusion 2019-03-25 2019-04-02
5.0
None Remote Low Not required Partial None None
ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do.
45 CVE-2016-10991 20 File Inclusion 2019-09-17 2019-09-18
5.0
None Remote Low Not required Partial None None
The imdb-widget plugin before 1.0.9 for WordPress has Local File Inclusion.
46 CVE-2016-10956 20 File Inclusion 2019-09-16 2019-09-16
5.0
None Remote Low Not required Partial None None
The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.
47 CVE-2015-9415 20 File Inclusion 2019-09-26 2019-09-27
5.0
None Remote Low Not required None Partial None
The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.
48 CVE-2015-6461 20 File Inclusion 2019-03-21 2019-10-09
5.5
None Remote Low ??? Partial Partial None
Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC web server, which, when launched, will result in the browser redirecting to a remote file via a Java script loaded with the web page.
49 CVE-2014-10384 20 File Inclusion 2019-08-22 2019-08-26
7.5
None Remote Low Not required Partial Partial Partial
The memphis-documents-library plugin before 3.0 for WordPress has Local File Inclusion.
50 CVE-2014-10383 20 File Inclusion 2019-08-22 2019-08-26
7.5
None Remote Low Not required Partial Partial Partial
The memphis-documents-library plugin before 3.0 for WordPress has Remote File Inclusion.
Total number of vulnerabilities : 57   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.