CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2020(File Inclusion)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-29279 Exec Code File Inclusion 2020-12-02 2020-12-04
7.5
None Remote Low Not required Partial Partial Partial
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
2 CVE-2020-29254 352 CSRF File Inclusion 2020-12-11 2020-12-14
6.8
None Remote Medium Not required Partial Partial Partial
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.
3 CVE-2020-29227 Exec Code File Inclusion 2020-12-14 2020-12-15
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Car Rental Management System 1.0. An unauthenticated user can perform a file inclusion attack against the /index.php file with a partial filename in the "page" parameter, to cause local file inclusion resulting in code execution.
4 CVE-2020-27191 File Inclusion 2020-11-16 2020-11-30
5.0
None Remote Low Not required Partial None None
LionWiki before 3.2.12 allows an unauthenticated user to read files as the web server user via crafted string in the index.php f1 variable, aka Local File Inclusion. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
5 CVE-2020-25149 22 Exec Code Dir. Trav. File Inclusion 2020-09-25 2020-09-30
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /device/device=345/?tab=health&metric=../ because of device/health.inc.php.
6 CVE-2020-25145 22 Exec Code Dir. Trav. File Inclusion 2020-09-25 2020-09-30
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /device/device=345/?tab=ports&view=../ URIs because of device/port.inc.php.
7 CVE-2020-25144 22 Exec Code Dir. Trav. File Inclusion 2020-09-25 2020-09-30
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /apps/?app=../ URIs.
8 CVE-2020-25136 22 Exec Code Dir. Trav. File Inclusion 2020-09-25 2020-09-30
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /device/device=345/?tab=routing&proto=../ URIs to device/routing.inc.php.
9 CVE-2020-25134 22 Exec Code Dir. Trav. File Inclusion 2020-09-25 2020-09-30
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /settings/?format=../ URIs to pages/settings.inc.php.
10 CVE-2020-25133 22 Exec Code Dir. Trav. File Inclusion 2020-09-25 2020-09-30
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /ports/?format=../ URIs to pages/ports.inc.php.
11 CVE-2020-25068 22 Dir. Trav. File Inclusion 2020-09-03 2020-11-12
5.0
None Remote Low Not required Partial None None
Setelsa Conacwin v3.7.1.2 is vulnerable to a local file inclusion vulnerability. This vulnerability allows a remote unauthenticated attacker to read internal files on the server via an http:IP:PORT/../../path/file_to_disclose Directory Traversal URI. NOTE: The manufacturer indicated that the affected version does not exist. Furthermore, they indicated that they detected this problem in an internal audit more than 3 years ago and fixed it in 2017.
12 CVE-2020-13792 22 Dir. Trav. File Inclusion 2020-06-03 2020-06-04
4.0
None Remote Low ??? Partial None None
PlayTube 1.8 allows disclosure of user details via ajax.php?type=../admin-panel/autoload&page=manage-users directory traversal, aka local file inclusion.
13 CVE-2020-13175 829 File Inclusion 2020-08-11 2020-08-14
5.0
None Remote Low Not required Partial None None
The Management Interface of the Teradici Cloud Access Connector and Cloud Access Connector Legacy for releases prior to April 20, 2020 (v15 and earlier for Cloud Access Connector) contains a local file inclusion vulnerability which allows an unauthenticated remote attacker to leak LDAP credentials via a specially crafted HTTP request.
14 CVE-2020-12743 552 File Inclusion 2020-05-11 2020-05-15
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Gazie 7.32. A successful installation does not remove or block (or in any other way prevent use of) its own file /setup/install/setup.php, meaning that anyone can request it without authentication. This file allows arbitrary PHP file inclusion via a hidden_req POST parameter.
15 CVE-2020-12447 22 Dir. Trav. File Inclusion 2020-04-29 2020-05-11
5.0
None Remote Low Not required Partial None None
A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal, as demonstrated by reading /etc/shadow.
16 CVE-2020-12112 200 +Info File Inclusion 2020-04-23 2020-04-27
5.0
None Remote Low Not required Partial None None
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
17 CVE-2020-11732 200 +Info File Inclusion 2020-04-13 2021-07-21
5.0
None Remote Low Not required Partial None None
The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_gallery link=download.
18 CVE-2020-11642 552 File Inclusion 2020-10-15 2020-11-17
4.0
None Remote Low ??? None None Partial
The local file inclusion vulnerability present in B&R SiteManager versions <9.2.620236042 allows authenticated users to impact availability of SiteManager instances.
19 CVE-2020-11641 552 File Inclusion 2020-10-15 2020-11-17
4.0
None Remote Low ??? Partial None None
A local file inclusion vulnerability in B&R SiteManager versions <9.2.620236042 allows authenticated users to read sensitive files from SiteManager instances.
20 CVE-2020-11439 20 File Inclusion 2020-07-15 2021-07-21
9.0
None Remote Low ??? Complete Complete Complete
LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue allowing arbitrary PHP to be included and executed within the EMR application.
21 CVE-2020-9353 22 Dir. Trav. File Inclusion 2020-02-23 2020-02-24
5.0
None Remote Low Not required Partial None None
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML element in the _transaction parameter.
22 CVE-2020-8641 22 Dir. Trav. File Inclusion 2020-02-05 2020-02-07
6.5
None Remote Low ??? Partial Partial Partial
Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of .php files via directory traversal in the index.php page_slug parameter.
23 CVE-2020-6308 918 Bypass File Inclusion 2020-10-20 2020-10-22
5.0
None Remote Low Not required Partial None None
SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
24 CVE-2020-6142 22 Exec Code Dir. Trav. File Inclusion 2020-09-01 2020-09-04
7.5
None Remote Low Not required Partial Partial Partial
A remote code execution vulnerability exists in the Modules.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can cause local file inclusion. An attacker can send an HTTP request to trigger this vulnerability.
25 CVE-2020-5640 Exec Code +Info File Inclusion 2020-10-20 2020-10-22
7.5
None Remote Low Not required Partial Partial Partial
Local file inclusion vulnerability in OneThird CMS v1.96c and earlier allows a remote unauthenticated attacker to execute arbitrary code or obtain sensitive information via unspecified vectors.
26 CVE-2020-5280 22 Dir. Trav. File Inclusion 2020-03-25 2020-03-30
5.0
None Remote Low Not required Partial None None
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.
27 CVE-2020-3794 20 Exec Code File Inclusion 2020-03-25 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
ColdFusion versions ColdFusion 2016, and ColdFusion 2018 have a file inclusion vulnerability. Successful exploitation could lead to arbitrary code execution of files located in the webroot or its subdirectory.
28 CVE-2020-1745 Exec Code File Inclusion 2020-04-28 2021-09-14
7.5
None Remote Low Not required Partial Partial Partial
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
29 CVE-2020-1631 22 Dir. Trav. File Inclusion 2020-05-04 2020-05-08
6.8
None Remote Medium Not required Partial Partial Partial
A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns "=*;*&" or "*%3b*&" in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2.
30 CVE-2020-1611 200 +Info File Inclusion 2020-01-15 2021-07-21
4.0
None Remote Low ??? Partial None None
A Local File Inclusion vulnerability in Juniper Networks Junos Space allows an attacker to view all files on the target when the device receives malicious HTTP packets. This issue affects: Juniper Networks Junos Space versions prior to 19.4R1.
31 CVE-2019-19486 22 Dir. Trav. File Inclusion 2020-03-20 2020-03-24
4.0
None Remote Low ??? Partial None None
Local File Inclusion in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to traverse paths via a plugin test.
32 CVE-2015-7968 611 File Inclusion 2020-03-09 2020-03-10
4.0
None Remote Low ??? Partial None None
nwbc_ext2int in SAP NetWeaver Application Server before Security Note 2183189 allows XXE attacks for local file inclusion via the sap/bc/ui2/nwbc/nwbc_ext2int/ URI.
33 CVE-2014-5468 20 1 Exec Code +Info File Inclusion 2020-02-07 2020-02-11
6.8
None Remote Medium Not required Partial Partial Partial
A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file, which could let a remote malicious user obtain sensitive information or execute arbitrary code.
34 CVE-2013-3738 20 Exec Code File Inclusion 2020-02-17 2020-02-20
7.5
None Remote Low Not required Partial Partial Partial
A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code.
35 CVE-2012-5699 20 File Inclusion 2020-01-23 2020-01-29
7.5
None Remote Low Not required Partial Partial Partial
BabyGekko before 1.2.4 allows PHP file inclusion.
36 CVE-2012-1496 74 File Inclusion 2020-01-27 2020-01-29
6.5
None Remote Low ??? Partial Partial Partial
Local file inclusion in WebCalendar before 1.2.5.
37 CVE-2011-3611 20 File Inclusion 2020-01-22 2020-01-29
9.0
None Remote Low ??? Complete Complete Complete
A File Inclusion vulnerability exists in act parameter to admin.php in UseBB before 1.0.12.
Total number of vulnerabilities : 37   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.