Description

The vulnerability in the code is a Local File Inclusion (LFI) vulnerability. It allows an attacker to read arbitrary files on the server by exploiting a flaw in the code that allows the attacker to manipulate the “InternalPath” parameter in a request to include files from the server’s file system. The attacker can use this vulnerability to read sensitive files on the server, such as configuration files, databases, and other files that contain sensitive information. This vulnerability can be exploited remotely, and it can have severe consequences, including data theft, server compromise, and loss of confidential information.

Proof of Concept

https://drive.google.com/file/d/1PP54_q8oTKVZwAozKC3i4nCVQbVuWkye/view?usp=sharing