An attacker can include file contents from outside the /adapter/xxx/
directory, where xxx
is the name of an existent adapter like "admin". It is exploited using the administrative web panel with a request for an adapter file. Note: The attacker has to be logged in if the authentication is enabled (by default isn't enabled).