HPE has multiple remote file-include vulnerabilities. A remote attacker could execute arbitrary scripts on the web server with the privileges of the server, via a specially-crafted URL request to multiple script pages, by using the 'HPEinc' parameter to specify a malicious PHP file from a remote system.
HPE version 0.6.1.
HPE version 0.6.5
HPE version 0.7.0
HPE version 1.0
Currently we are not aware of any vendor-supplied patches for this issue.