CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(File Inclusion)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-43693 File Inclusion 2021-11-29 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
vesta 0.9.8-24 is affected by a file inclusion vulnerability in file web/add/user/index.php.
2 CVE-2021-41569 829 File Inclusion 2021-11-19 2021-12-02
5.0
None Remote Low Not required Partial None None
SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS.
3 CVE-2021-41277 20 File Inclusion 2021-11-17 2021-11-23
5.0
None Remote Low Not required Partial None None
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
4 CVE-2021-40651 22 Dir. Trav. File Inclusion 2021-09-29 2021-10-07
4.0
None Remote Low ??? Partial None None
OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file.
5 CVE-2021-40095 File Inclusion 2021-12-07 2021-12-07
4.0
None Remote Low ??? Partial None None
An issue was discovered in SquaredUp for SCOM 5.2.1.6654. The Download Log feature in System / Maintenance was susceptible to a local file inclusion vulnerability (when processing remote input in the log files downloaded by an authenticated administrator user), leading to the ability to read arbitrary files on the server filesystems.
6 CVE-2021-39433 File Inclusion 2021-10-04 2021-10-12
5.0
None Remote Low Not required Partial None None
A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.
7 CVE-2021-38360 829 Exec Code File Inclusion 2021-09-10 2021-09-21
7.5
None Remote Low Not required Partial Partial Partial
The wp-publications WordPress plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution, in versions up to and including 0.0.
8 CVE-2021-37348 552 File Inclusion 2021-08-13 2021-08-23
5.0
None Remote Low Not required Partial None None
Nagios XI before version 5.8.5 is vulnerable to local file inclusion through improper limitation of a pathname in index.php.
9 CVE-2021-36123 File Inclusion 2021-07-13 2021-07-15
4.0
None Remote Low ??? Partial None None
An issue was discovered in Echo ShareCare 8.15.5. The TextReader feature in General/TextReader/TextReader.cfm is susceptible to a local file inclusion vulnerability when processing remote input in the textFile parameter from an authenticated user, leading to the ability to read arbitrary files on the server filesystems as well any files accessible via Universal Naming Convention (UNC) paths.
10 CVE-2021-33408 319 File Inclusion 2021-05-27 2021-06-08
4.0
None Remote Low ??? Partial None None
Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitrary files. Fixed in v4.0.2.6 and v4.0.3.1.
11 CVE-2021-32100 File Inclusion 2021-05-07 2021-05-14
4.0
None Remote Low ??? Partial None None
A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user.
12 CVE-2021-31783 345 File Inclusion 2021-04-26 2021-05-04
5.0
None Remote Low Not required Partial None None
show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check.
13 CVE-2021-31599 434 File Inclusion 2021-11-08 2021-11-09
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code.
14 CVE-2021-30173 36 File Inclusion 2021-05-07 2021-05-18
4.0
None Remote Low ??? Partial None None
Local File Inclusion vulnerability of the omni-directional communication system allows remote authenticated attacker inject absolute path into Url parameter and access arbitrary file.
15 CVE-2021-30121 829 File Inclusion 2021-07-09 2021-07-12
6.5
None Remote Low ??? Partial Partial Partial
Local file inclusion exists in Kaseya VSA before 9.5.6.
16 CVE-2021-29113 File Inclusion 2021-12-07 2021-12-07
0.0
None ??? ??? ??? ??? ??? ???
A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.
17 CVE-2021-27341 22 Dir. Trav. File Inclusion 2021-09-16 2021-09-27
7.5
None Remote Low Not required Partial Partial Partial
OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filename" parameter.
18 CVE-2021-27236 94 Exec Code File Inclusion 2021-02-16 2021-02-22
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Mutare Voice (EVM) 3.x before 3.3.8. getfile.asp allows Unauthenticated Local File Inclusion, which can be leveraged to achieve Remote Code Execution.
19 CVE-2021-25447 287 File Inclusion 2021-08-05 2021-08-12
5.0
None Remote Low Not required None Partial None
Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause local file inclusion in webview.
20 CVE-2021-25438 863 File Inclusion 2021-07-08 2021-07-12
4.6
None Local Low Not required Partial Partial Partial
Improper access control vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to cause local file inclusion in webview.
21 CVE-2021-24644 22 Dir. Trav. File Inclusion 2021-11-23 2021-11-24
5.0
None Remote Low Not required Partial None None
The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue
22 CVE-2021-24472 918 File Inclusion 2021-08-02 2021-08-27
7.5
None Remote Low Not required Partial Partial Partial
The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.
23 CVE-2021-24453 22 Exec Code Dir. Trav. File Inclusion 2021-07-19 2021-09-20
9.0
None Remote Low ??? Complete Complete Complete
The Include Me WordPress plugin through 1.2.1 is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure
24 CVE-2021-24447 22 Dir. Trav. File Inclusion 2021-07-19 2021-07-28
5.0
None Remote Low Not required Partial None None
The WP Image Zoom WordPress plugin before 1.47 did not validate its tab parameter before using it in the include_once() function, leading to a local file inclusion issue in the admin dashboard
25 CVE-2021-24242 22 Dir. Trav. File Inclusion 2021-04-22 2021-04-30
5.5
None Remote Low ??? Partial Partial None
The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php file
26 CVE-2021-23340 22 Dir. Trav. File Inclusion 2021-02-18 2021-02-25
5.5
None Remote Low ??? Partial Partial None
This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this function with a GET request at the following endpoint: /admin/reports/custom-report/download-csv?exportFile=&91;filename]. Since exportFile variable is not sanitized, an attacker can exploit a local file inclusion vulnerability.
27 CVE-2021-21804 829 Exec Code File Inclusion 2021-07-16 2021-07-28
7.5
None Remote Low Not required Partial Partial Partial
A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
28 CVE-2021-20124 668 File Inclusion 2021-10-13 2021-10-19
7.8
None Remote Low Not required Complete None None
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
29 CVE-2021-20123 668 File Inclusion 2021-10-13 2021-10-19
7.8
None Remote Low Not required Complete None None
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
30 CVE-2020-35942 352 Exec Code XSS Bypass CSRF File Inclusion 2021-02-09 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.)
31 CVE-2020-35580 522 File Inclusion 2021-05-20 2021-05-28
5.0
None Remote Low Not required Partial None None
A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users.
32 CVE-2020-35566 706 File Inclusion 2021-02-16 2021-02-19
5.0
None Remote Low Not required Partial None None
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. An attacker can read arbitrary JSON files via Local File Inclusion.
33 CVE-2020-35340 552 File Inclusion 2021-09-15 2021-09-24
5.0
None Remote Low Not required Partial None None
A local file inclusion vulnerability in ExpertPDF 9.5.0 through 14.1.0 allows attackers to read the file contents from files that the running ExpertPDF process has access to read.
34 CVE-2020-25414 94 Exec Code File Inclusion 2021-06-17 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
35 CVE-2020-23996 Exec Code File Inclusion 2021-05-13 2021-05-21
6.5
None Remote Low ??? Partial Partial Partial
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.
36 CVE-2020-23161 22 Dir. Trav. File Inclusion 2021-01-26 2021-03-30
4.0
None Remote Low ??? Partial None None
Local file inclusion in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to traverse directories and read sensitive files via the Maintenance > Logs menu and manipulating the file-path in the URL.
37 CVE-2020-22474 732 File Inclusion 2021-02-22 2021-07-21
4.0
None Remote Low ??? Partial None None
In webERP 4.15, the ManualContents.php file allows users to specify the "Language" parameter, which can lead to local file inclusion.
38 CVE-2020-21786 434 File Inclusion 2021-06-24 2021-07-01
7.5
None Remote Low Not required Partial Partial Partial
In IBOS 4.5.4 Open, Arbitrary File Inclusion causes getshell via /system/modules/dashboard/controllers/CronController.php.
39 CVE-2020-19360 200 +Info File Inclusion 2021-01-20 2021-07-21
5.0
None Remote Low Not required Partial None None
Local file inclusion in FHEM 6.0 allows in fhem/FileLog_logWrapper file parameter can allow an attacker to include a file, which can lead to sensitive information disclosure.
40 CVE-2020-13550 22 Dir. Trav. File Inclusion 2021-02-17 2021-02-19
4.0
None Remote Low ??? Partial None None
A local file inclusion vulnerability exists in the installation functionality of Advantech WebAccess/SCADA 9.0.1. A specially crafted application can lead to information disclosure. An attacker can send an authenticated HTTP request to trigger this vulnerability.
41 CVE-2017-17674 918 Exec Code File Inclusion 2021-05-19 2021-05-25
7.5
None Remote Low Not required Partial Partial Partial
BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE).
Total number of vulnerabilities : 41   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.