vendor:
Fantastico
by:
cyb3rt & 020
7.5
CVSS
HIGH
Local File Include
22
CWE
Product Name: Fantastico
Affected Version From: Cpanel 10.x
Affected Version To: Cpanel 10.x
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
2007
Fantastico In all Version Cpanel 10.x <= local File Include
The vulnerability allows an attacker to include local files on the server by manipulating the 'userlanguage' parameter in the 'load_language.php' script. This can be exploited to read sensitive files like 'passwd' or execute arbitrary PHP code by including a malicious file.
Mitigation:
The vendor should release a patch to fix the vulnerability. In the meantime, users can mitigate the risk by implementing proper input validation and sanitization techniques.