Home

Description

FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email generation.

PUBLISHED Reserved 2025-12-11 | Published 2025-12-11 | Updated 2025-12-18 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Product status

Default status
unaffected

1.1.2
affected

Credits

Chokri Hammedii finder

References

www.exploit-db.com/exploits/51947 (ExploitDB-51947) exploit

flarum.org/ (Flarum Homepage) product

github.com/FriendsOfFlarum/pretty-mail (Pretty Mail GitHub Repository) product

www.vulncheck.com/...e-inclusion-via-email-template-settings (VulnCheck Advisory: FoF Pretty Mail 1.1.2 Local File Inclusion via Email Template Settings) third-party-advisory

cve.org (CVE-2024-58302)

nvd.nist.gov (CVE-2024-58302)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.