A Local File Inclusion vulnerability in the Panorama Viewer plugin allows an authenticated Contributor to potentially read sensitive files on the host server.

This is a Local File Inclusion (LFI) vulnerability that requires the attacker to hold at least Contributor-level authentication. The flaw allows an attacker to include files from the local filesystem through the vulnerable plugin component.

An LFI vulnerability can lead to the exposure of configuration files, credentials, or sensitive system data, severely compromising server integrity. With a CVSS score of 7.5, this high-severity flaw requires urgent attention to prevent attackers from escalating their privileges or gaining full system control.

Immediate Action: Update the Panorama Viewer plugin to the latest version provided by bPlugins to remediate the file inclusion flaw.

Proactive Monitoring: Review file integrity logs and monitor for unusual file access requests that deviate from typical plugin behavior.

Compensating Controls: Restrict plugin access to trusted users and ensure the web server is configured with the principle of least privilege regarding file system permissions.

Public Exploit Available: false

While this vulnerability requires Contributor-level access, the potential for sensitive data exposure is significant. Administrators should verify the plugin version in use and apply the vendor-supplied update immediately, while also auditing the permissions of users with Contributor roles.