{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25632", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-24T11:02:26.100Z", "datePublished": "2026-03-24T11:27:06.388Z", "dateUpdated": "2026-03-24T11:27:06.388Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-24T11:27:06.388Z"}, "datePublic": "2019-04-01T00:00:00.000Z", "title": "phpFileManager 1.7.8 Local File Inclusion via index.php", "descriptions": [{"lang": "en", "value": "phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Attackers can send GET requests to index.php with crafted parameter values to access sensitive files like /etc/passwd from the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "affected": [{"vendor": "Sourceforge", "product": "phpFileManager", "versions": [{"version": "1.7.8", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dulldusk:phpfilemanager:1.7.8:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46638", "name": "ExploitDB-46638", "tags": ["exploit"]}, {"url": "https://sourceforge.net/projects/phpfm/", "name": "Official Product Homepage", "tags": ["product"]}, {"name": "VulnCheck Advisory: phpFileManager 1.7.8 Local File Inclusion via index.php", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/phpfilemanager-local-file-inclusion-via-index-php"}], "credits": [{"lang": "en", "value": "Murat Kalafatoglu", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dulldusk:phpfilemanager:1.7.8:*:*:*:*:*:*:*", "matchCriteriaId": "B0976145-9E87-4CF4-BBE7-7EFB9D5248C7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Attackers can send GET requests to index.php with crafted parameter values to access sensitive files like /etc/passwd from the server."}], "id": "CVE-2019-25632", "lastModified": "2026-03-25T21:45:13.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-24T12:16:03.597", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://sourceforge.net/projects/phpfm/"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46638"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/phpfilemanager-local-file-inclusion-via-index-php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.7.8"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "phpfilemanager", "vendor": "dulldusk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.7.8"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "phpFileManager", "source": "cna", "vendor": "Sourceforge"}, "product": "phpfilemanager", "vendor": "sourceforge"}], "analysis": {"en": {"generated_at": "2026-03-24T12:24:45.851259+00:00", "value": {"mitigation_remediation": ["Upgrade phpFileManager to the latest version or apply an available patch.", "If an upgrade is not possible, restrict external access to index.php using web\u2011server rules or a firewall.", "Ensure input parameters are properly validated and sanitized to prevent LFI before the application processes them.", "Verify that file system permissions do not allow the web process to read system files such as /etc/passwd.", "Monitor web logs for repeated attempts to read disallowed files and apply intrusion detection if possible."], "summary": {"action": "Patch Now", "impact": "Local File Inclusion allowing arbitrary file read"}, "threat_synthesis": {"affected_systems": "The flaw affects the Sourceforge phpFileManager 1.7.8 release. No other versions or builds are listed as vulnerable in the available data.", "description_and_impact": "A local file inclusion vulnerability in phpFileManager 1.7.8 permits unauthenticated users to read any file on the server by manipulating the action, fm_current_dir, and filename parameters in index.php. This flaw allows attackers to download sensitive files such as /etc/passwd by issuing crafted GET requests, exposing confidential data and providing a foothold for further exploitation.", "risk_and_exploitability": "With a CVSS score of 6.9, the severity is moderate but noteworthy. Exploitation requires only a web request with specific parameters, meaning any host running the vulnerable package is at risk without authentication. The EPSS score is unavailable, and the vulnerability is not in the CISA KEV catalog, but its relative ease of exploitation makes it a practical threat for attackers scanning web applications."}}}}, "created": "2026-03-25T11:48:42.105710+00:00", "updated": "2026-03-25T20:39:38.851292+00:00", "vendors": ["dulldusk", "dulldusk$PRODUCT$phpfilemanager", "sourceforge", "sourceforge$PRODUCT$phpfilemanager"]}