CVE-2019-13396

Name of the Vulnerable Software and Affected Versions FlightPath versions 4.x through 5.0-x

Description The issue allows directory traversal and Local File Inclusion through the form include parameter in an "index.php?q=system-handle-form-submit" POST request. This is due to an include once in the system handle form submit function in modules/system/system.module.

Recommendations For FlightPath versions 4.x through 5.0-x, consider restricting access to the system handle form submit function in modules/system/system.module until a patch is available. Avoid using the form include parameter in the affected API endpoint until the issue is resolved.