Published: 18/03/2025 Updated: 18/03/2025

Local File Inclusion (LFI) in imFAQ Module for ImpressCMS Prior to 1.0.1

imFAQ, a questions and answers management system for ImpressCMS, contains a Local File Inclusion vulnerability in versions prior to 1.0.1. An attacker can manipulate the $_GET['seoOp'] parameter to read sensitive server files by using crafted input like seoOp=php://filter/read=convert.base64-encode/resource=/var/www/html/config.php. The $_GET['seoOp'] and $_GET['seoArg'] parameters are used without proper sanitization or validation. While this vulnerability is partly mitigated by ImpressCMS storing sensitive files outside the web root in a randomized folder, it remains a security risk until version 1.0.1, which resolves the issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
impressmodules imfaq

CWE-73 https://nvd.nist.gov https://www.first.org/epss https://github.com/ImpressModules/imfaq/commit/63dedd30a8f196db7b340740adf667a39c26a4ac https://github.com/ImpressModules/imfaq/security/advisories/GHSA-vrr3-54vc-vwg3

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2025-29930

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect