- Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local file, and send the contents of the specified file to a remote server. <br/><br/> Affected versions: 1.8.19, 1.8.20, 2.0.9, 2.0.10, 2.0.11rc2, 2.0.11, 2.2.2, 2.2.3rc1, 2.2.3rc2, 2.2.3
- Upgrade to the latest version of Zabbix (this issue was fixed in version 2.3.2).
- WordPress Plugin OPS Old Post Spinner 'ops_file' Parameter Local File Include (2.2.1)
- Drupal Core 5.x Local File Inclusion (5.0 - 5.11)
- WordPress Plugin Vmax Project Manager Local File Inclusion (1.1)
- WordPress Plugin Visual Composer:Page Builder for WordPress Local File Inclusion (5.1)
- WordPress Plugin Mini Mail Dashboard Widget 'abspath' Parameter Remote File Include (1.36)