cbcvebase.
CVE-2019-18951
published 2019-11-13

CVE-2019-18951: SibSoft Xfilesharing through 2.5.1 allows op=page&tmpl=../ directory traversal to read arbitrary files.

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
19.78%
97.1th percentile
SibSoft Xfilesharing through 2.5.1 allows op=page&tmpl=../ directory traversal to read arbitrary files.

Affected

1 ranges
VendorProductVersion rangeFixed in
sibsoftxfilesharing<= 2.5.1

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/up.cgi
path/cgi-bin/temp/{{path}}/{{filename}}.php
urlhttp://xyz.com/cgi-bin/temp/joe/shell.php
urlhttp://xyz.com/?op=page&tmpl=../../admin_settings
urlhttp://xyz.com/?op=page&tmpl=../../../../../../../tmp/upload
  • Monitor for multipart file upload POST requests to /cgi-bin/up.cgi with a 'sid' parameter, which controls the upload subdirectory and can be path-traversed (e.g., sid=../../../../../../tmp) to place files outside the intended temp directory.
  • Detect LFI exploitation attempts via the 'tmpl' parameter in requests to /?op=page — path traversal sequences (../../) targeting .html files indicate active exploitation of CVE-2019-18951.
  • Alert on GET requests to /cgi-bin/temp/ paths containing uploaded .php files, which indicates successful arbitrary file upload and potential webshell access.
  • The exploit chain combines file upload (CVE-2019-18952) with LFI (CVE-2019-18951): an .html file containing shortcodes is uploaded to /tmp via sid path traversal, then included via the tmpl parameter to achieve RCE.
  • Use the Google dork 'inurl:/?op=registration' to identify exposed Xfilesharing instances for proactive asset discovery.
  • ·The .html extension is hard-coded server-side for LFI template inclusion; only files with the .html extension can be included via the tmpl parameter, meaning the attacker must upload an .html file (not .php) for the LFI stage of the RCE chain.
  • ·RCE requires chaining both CVE-2019-18952 (arbitrary file upload) and CVE-2019-18951 (LFI); neither vulnerability alone achieves code execution.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.