Michal Blaszczak has reported multiple vulnerabilities in CitrusDB, which can be exploited by malicious users to disclose potentially sensitive information.
Input passed via the "load" parameter to index.php (when "type" is set to "base", "dl", "fs" , or "module") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
The vulnerabilities are reported in version 2.4.1. Other versions may also be affected.
Vulnerable Products
Vulnerable Software: CitrusDB 2.x
Solution
Edit the source code to ensure that input is properly sanitised.