PT-2019-13308 · Flightpath · Flightpath

Published

2019-07-10

Updated

2019-07-17

CVE-2019-13396

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions FlightPath versions 4.x through 5.0-x

Description The issue allows directory traversal and Local File Inclusion through the form include parameter in an "index.php?q=system-handle-form-submit" POST request. This is due to an include once in the system handle form submit function in modules/system/system.module.

Recommendations For FlightPath versions 4.x through 5.0-x, consider restricting access to the system handle form submit function in modules/system/system.module until a patch is available. Avoid using the form include parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2019-13396

Affected Products

Flightpath

PT-2019-13308 · Flightpath · Flightpath

CVE-2019-13396

Weakness Enumeration

Related Identifiers

Affected Products

References · 5