Security Vulnerabilities, CVEs, Published In 2009 (File inclusion)
Multiple PHP remote file inclusion vulnerabilities in PHPope 1.0.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[config][dir][plugins] parameter to plugins/address/admin/index.php, (2) GLOBALS[config][dir][functions] parameter to plugins/im/compose.php, and (3) GLOBALS[config][dir][classes] parameter to plugins/cssedit/admin/index.php.
Max CVSS
7.5
EPSS Score
1.12%
Published
2009-12-30
Updated
2017-09-19
Multiple PHP remote file inclusion vulnerabilities in FreeSchool 1.1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the CLASSPATH parameter to (1) bib_form.php, (2) bib_pldetails.php, (3) bib_plform.php, (4) bib_plsearchc.php, (5) bib_plsearchs.php, (6) bib_save.php, (7) bib_searchc.php, (8) bib_searchs.php, (9) edi_form.php, (10) edi_save.php, (11) gen_form.php, (12) gen_save.php, (13) lin_form.php, (14) lin_save.php, (15) luo_form.php, (16) luo_save.php, (17) sog_form.php, or (18) sog_save.php in biblioteca/; (19) cal_insert.php, (20) cal_save.php, or (21) cal_saveactivity.php in calendario/; (22) circolari/cir_save.php; or (23) modulistica/mdl_save.php.
Max CVSS
7.5
EPSS Score
1.19%
Published
2009-12-30
Updated
2017-09-19
PHP remote file inclusion vulnerability in cal_popup.php in the Anything Digital Development JCal Pro (aka com_jcalpro or JCP) component 1.5.3.6 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
Max CVSS
7.5
EPSS Score
1.52%
Published
2009-12-28
Updated
2010-06-29
PHP remote file inclusion vulnerability in js/bbcodepress/bbcode-form.php in eoCMS 0.9.03 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the BBCODE_path parameter.
Max CVSS
6.8
EPSS Score
0.53%
Published
2009-12-14
Updated
2009-12-15
PHP remote file inclusion vulnerability in components/core/connect.php in AROUNDMe 1.1 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the language_path parameter.
Max CVSS
6.8
EPSS Score
0.53%
Published
2009-12-10
Updated
2009-12-11
Multiple PHP remote file inclusion vulnerabilities in SweetRice 0.5.4, 0.5.3, and earlier allow remote attackers to execute arbitrary PHP code via a URL in the root_dir parameter to (1) _plugin/subscriber/inc/post.php and (2) as/lib/news_modify.php.
Max CVSS
6.8
EPSS Score
1.48%
Published
2009-12-07
Updated
2017-08-17
PHP remote file inclusion vulnerability in adm/krgourl.php in KR-Web 1.1b2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter.
Max CVSS
7.5
EPSS Score
0.61%
Published
2009-12-07
Updated
2017-08-17
PHP remote file inclusion vulnerability in includes/classes/pctemplate.php in PointComma 3.8b2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the pcConfig[smartyPath] parameter.
Max CVSS
7.5
EPSS Score
0.72%
Published
2009-12-07
Updated
2017-08-17
PHP remote file inclusion vulnerability in modules/pms/index.php in Ciamos CMS 0.9.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the module_path parameter.
Max CVSS
7.5
EPSS Score
0.53%
Published
2009-12-02
Updated
2009-12-03
PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav.php in the D4J eZine (com_ezine) component 2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path parameter.
Max CVSS
7.5
EPSS Score
0.72%
Published
2009-11-29
Updated
2017-08-17
PHP remote file inclusion vulnerability in assets/plugins/mp3_id/mp3_id.php in PHP Traverser 0.8.0 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[BASE] parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Max CVSS
7.5
EPSS Score
1.12%
Published
2009-11-29
Updated
2017-08-17
PHP remote file inclusion vulnerability in forums/Forum_Include/index.php in Outreach Project Tool (OPT) 1.2.7 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CRM_path parameter.
Max CVSS
7.5
EPSS Score
7.20%
Published
2009-11-29
Updated
2017-08-17
PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.
Max CVSS
5.0
EPSS Score
5.39%
Published
2009-11-24
Updated
2024-02-15
PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat (com_ajaxchat) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[mosConfig_absolute_path] parameter to tests/ajcuser.php.
Max CVSS
7.5
EPSS Score
12.82%
Published
2009-10-28
Updated
2009-10-28
PHP remote file inclusion vulnerability in doc/releasenote.php in the BookLibrary (com_booklibrary) component 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter, a different vector than CVE-2009-2637. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Max CVSS
7.5
EPSS Score
2.19%
Published
2009-10-28
Updated
2009-10-28
PHP remote file inclusion vulnerability in debugger.php in Achievo before 1.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter.
Max CVSS
7.5
EPSS Score
1.44%
Published
2009-10-16
Updated
2021-04-07
Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08.php or (2) update10.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
Max CVSS
7.5
EPSS Score
0.66%
Published
2009-12-22
Updated
2018-10-10
PHP remote file inclusion vulnerability in libraries/database.php in Efront 3.5.4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's security documentation.
Max CVSS
6.8
EPSS Score
1.56%
Published
2009-10-11
Updated
2017-09-19
Directory traversal vulnerability in ls.php in LittleSite (aka LS or LittleSite.php) 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
Max CVSS
7.5
EPSS Score
1.01%
Published
2009-10-02
Updated
2017-08-17
PHP remote file inclusion vulnerability in CoupleDB.php in PHPGenealogy 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the DataDirectory parameter.
Max CVSS
7.5
EPSS Score
0.63%
Published
2009-10-02
Updated
2017-09-19
Directory traversal vulnerability in image.php in Clear Content 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter. NOTE: the researcher also suggests an analogous PHP remote file inclusion vulnerability, but this may be incorrect.
Max CVSS
4.3
EPSS Score
1.61%
Published
2009-10-02
Updated
2017-09-19
Multiple PHP remote file inclusion vulnerabilities in justVisual 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the fs_jVroot parameter to (1) sites/site/pages/index.php, (2) sites/test/pages/contact.php, (3) system/pageTemplate.php, and (4) system/utilities.php.
Max CVSS
7.5
EPSS Score
0.56%
Published
2009-10-01
Updated
2017-09-19
Multiple PHP remote file inclusion vulnerabilities in Loggix Project 9.4.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the pathToIndex parameter to (1) Calendar.php, (2) Comment.php, (3) Rss.php and (4) Trackback.php in lib/Loggix/Module/; and (5) modules/downloads/lib/LM_Downloads.php.
Max CVSS
7.5
EPSS Score
0.63%
Published
2009-09-30
Updated
2017-09-19
PHP remote file inclusion vulnerability in includes/file_manager/special.php in MaxCMS 3.11.20b allows remote attackers to execute arbitrary PHP code via a URL in the fm_includes_special parameter.
Max CVSS
6.8
EPSS Score
0.72%
Published
2009-09-25
Updated
2017-09-19
Multiple PHP remote file inclusion vulnerabilities in MaxCMS 3.11.20b, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) is_projectPath parameter to includes/InstantSite/inc.is_root.php; GLOBALS[thCMS_root] parameter to (2) classes/class.Tree.php, (3) includes/inc.thcms_admin_mediamanager.php, and (4) modul/mod.rssreader.php; is_path parameter to (5) class.tasklist.php, (6) class.thcms.php, (7) class.thcms_content.php, (8) class.thcms_modul_parent.php, (9) class.thcms_page.php, and (10) class.thcsm_user.php in classes/; and (11) includes/InstantSite/class.Tree.php; and thCMS_root parameter to (12) classes/class.thcms_modul.php; (13) inc.page_edit_tasklist.php, (14) inc.thcms_admin_overview_backup.php, and (15) inc.thcms_edit_content.php in includes/; and (16) class.thcms_modul_parent_xml.php, (17) mod.cmstranslator.php, (18) mod.download.php, (19) mod.faq.php, (20) mod.guestbook.php, (21) mod.html.php, (22) mod.menu.php, (23) mod.news.php, (24) mod.newsticker.php, (25) mod.rss.php, (26) mod.search.php, (27) mod.sendtofriend.php, (28) mod.sitemap.php, (29) mod.tagdoc.php, (30) mod.template.php, (31) mod.test.php, (32) mod.text.php, (33) mod.upload.php, and (34) mod.users.php in modul/.
Max CVSS
6.8
EPSS Score
2.42%
Published
2009-09-25
Updated
2017-09-19