Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ArkSigner Software and Hardware Inc. AcBakImzala allows PHP Local File Inclusion. This issue affects AcBakImzala: before v5.1.4.
The error results from insufficient control over the filename passed to the include/require instruction in PHP code (CWE-98) and the ability to include functionality from an untrusted scope of control (CWE-829). An attacker can manipulate the application's input parameter so that the server includes and executes any local file. As a result, it is possible to read sensitive system files or execute malicious PHP code already present on the server.
An unauthenticated attacker can gain full access to sensitive data on the server, modify application content, or cause its unavailability. Under favorable conditions, the vulnerability can lead to complete server takeover.
AcBakImzala should be updated to version v5.1.4 or newer. Detailed information is available in the vendor references and in the USOM bulletin (TR-25-0356).
AcBakImzala by ArkSigner Software and Hardware Inc. in all versions before v5.1.4.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H