CVE-2009-1911

QuiXplorer <2.3.2 - Path Traversal

Title source: llm

Description

Directory traversal vulnerability in .include/init.php (aka admin/_include/init.php) in QuiXplorer 2.3.2 and earlier, as used in TinyWebGallery (TWG) 1.7.6 and earlier, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter to admin/index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by EgiX · phpwebappsphp

https://www.exploit-db.com/exploits/8649

View Code ZIP pw:eip

References (7)

[Vendor Advisory] http://secunia.com/advisories/35020

[Vendor Advisory] http://secunia.com/advisories/35060

[Exploit, Patch] http://www.securityfocus.com/bid/34892

[Vendor Advisory] http://www.tinywebgallery.com/forum/viewtopic.php?t=1653

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/50408

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/503396/100/0/threaded

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/8649

Scores

EPSS 0.0991

EPSS Percentile 93.0%

Details

CWE

CWE-22

Status published

Products (50)

claudio_klingler/quixplorer 1.0

claudio_klingler/quixplorer 1.1

claudio_klingler/quixplorer 1.2

claudio_klingler/quixplorer 1.4

claudio_klingler/quixplorer 1.5

claudio_klingler/quixplorer 1.6

claudio_klingler/quixplorer 2.0

claudio_klingler/quixplorer 2.1.1

claudio_klingler/quixplorer 2.2

claudio_klingler/quixplorer 2.3

... and 40 more

Published Jun 04, 2009

Tracked Since Feb 18, 2026