Jupiter CMS 1.1.5, when display_errors is enabled, allows remote malicious users to obtain the full server path via a direct request to modules/online.php.
jupiter cms jupiter cms 1.1.5