FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion

vendor:

FlightPath

by:

Mohammed Althibyani

5.3

CVSS

MEDIUM

Local File Inclusion

CWE

Product Name: FlightPath

Affected Version From: < 4.8.2

Affected Version To: < 5.0-rc2

Patch Exists: YES

Related CWE: CVE-2019-13396

CPE: a:flightpath:flightpath

Metasploit:

Other Scripts:

Tags: cve,cve2019,flightpath,lfi,edb

CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Nuclei References: https://www.exploit-db.com/exploits/47121, http://getflightpath.com/node/2650, https://nvd.nist.gov/vuln/detail/CVE-2019-13396

Nuclei Metadata: {'max-request': 2, 'vendor': 'getflightpath', 'product': 'flightpath'}

Platforms Tested: Kali Linux

2019

FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion

This exploit allows an attacker to include arbitrary local files on the server by modifying the 'include_form' parameter in a POST request. By manipulating the 'form_include' parameter, an attacker can traverse directories and access sensitive files on the server, such as /etc/passwd.

Mitigation:

To mitigate this vulnerability, it is recommended to update FlightPath to version 4.8.2 or higher.

Source

FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion

Mitigation:

Exploit-DB raw data: