CVE-2019-13396

MEDIUM NUCLEI

Flightpath < 4.8.3 - Path Traversal

Title source: rule

Description

FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit POST request because of an include_once in system_handle_form_submit in modules/system/system.module.

Exploits (1)

exploitdb WORKING POC

by Mohammed Althibyani · textwebappsphp

https://www.exploit-db.com/exploits/47121

View Code ZIP pw:eip

Nuclei Templates (1)

FlightPath - Local File Inclusion

MEDIUMby 0x_Akoko,daffainfo

References (2)

[Third Party Advisory] http://getflightpath.com/node/2650

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/153626/FlightPath-Local-File-Inclusion.html

Scores

CVSS v3 5.3

EPSS 0.6862

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-22

Status published

Products (2)

getflightpath/flightpath 5.0 beta1 (7 CPE variants)

getflightpath/flightpath 4.0 - 4.8.3

Published Jul 10, 2019

Tracked Since Feb 18, 2026