Its possible to include local files into the endpoint /api/download. This endpoint is to download reports from the FUXA and can read local files from HTTP GET "name" parameter.
/api/download?cmd=REPORT-DOWNLOAD&name=../../../../../../etc/passwd
Name Affected product: FUXA
Version affected: <= 1.1.12
Problem: Local File Inclusion
Description: It's possible to include local files into the endpoint /api/download. This endpoint is to download reports from the FUXA and can read local files from HTTP GET "name" parameter /api/download?cmd=REPORT-DOWNLOAD&name=../../../../../../etc/passwd