Primary

Context

Surreal ToDo Local File Inclusion Vulnerability

Vulnerability

A local file inclusion vulnerability has been identified in Surreal ToDo version 0.6.1.2. This vulnerability allows unauthenticated attackers to read arbitrary files by manipulating the 'content' parameter in 'index.php'. Attackers can exploit this issue by injecting directory traversal sequences to access sensitive system files, such as configuration and initialization files.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, potentially including configuration files that may contain credentials or other critical information.

Reproduction

To reproduce this vulnerability, send a GET request to 'index.php' with a 'content' parameter that includes directory traversal sequences. This will allow access to files outside the web root, such as 'C:\Windows\win.ini' on a Windows server.

Added: Mar 6, 2026, 1:23 PM

Updated: Mar 6, 2026, 1:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.0

remediation

0.0

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.0

remediation

0.0

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Surreal ToDo Local File Inclusion Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating