22 matches found
CVE-2026-7879 Concrete CMS 9.5.0 and below is vulnerable to File Download Authorization Bypass in submit_password()
In Concrete CMS 9.5.0 and below, the submitpassword method in concrete/controllers/singlepage/downloadfile.php allows unauthorized file access since downloading permission-restricted files bypasses the viewfile permission check. Files without passwords can be downloaded and any user who knows a...
CVE-2026-7879
Concrete CMS 9.5.0 and earlier is affected by a vulnerability in submit_password() within concrete/controllers/single_page/download_file.php that permits unauthorized access to files. The issue arises because downloading permission-restricted files bypasses the view_file permission check; files w...
CVE-2026-42277
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/fileid endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file...
CVE-2026-34581
goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2...
CVE-2026-34784
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...
M-Files Server 安全漏洞
M-Files Server is a server for the M-Files system from M-Files, Inc. A security vulnerability exists in M-Files Server versions prior to 25.12 that stems from improper access checking and could lead to file download bypass...
EUVD-2005-0146
Malware in sbrugna...
EUVD-2023-12221
Malicious code in bioql PyPI...
EUVD-2023-57444
Malicious code in bioql PyPI...
CVE-2022-2367
The WSM Downloader WordPress plugin through 1.4.0 allows only specific popular websites to download images/files from, this can be bypassed due to the lack of good "link" parameter validation...
UBUNTU-CVE-2023-0131
Inappropriate implementation in in iframe Sandbox in Google Chrome prior to 109.0.5414.74 allowed a remote attacker to bypass file download restrictions via a crafted HTML page. Chromium security severity: Medium...
Google Chrome 安全漏洞
Google Chrome is a web browser from Google, an American company. A code issue vulnerability exists in versions of Google Chrome prior to 109.0.5414.74, which stems from an improper implementation of its iframe Sandbox, and can be exploited by remote attackers to bypass file download restrictions...
CVE-2023-0131
The CVE-2023-0131 entry concerns Google Chrome before version 109.0.5414.74, where an inappropriate implementation in the iframe Sandbox could allow a remote attacker to bypass file download restrictions via a crafted HTML page. The vulnerability affects Chrome/Chromium sandbox behavior and is ra...
The vulnerability of the WKUserScript script in Mozilla Firefox’s browser loading mechanism for iOS allows a malicious user to load any file they desire.
The vulnerability of the WKUserScript script in Mozilla Firefox’s browser download function for iOS is related to deficiencies in access control. Exploiting this vulnerability allows a remote attacker to download any file they desire...
CVE-2020-26549
CVE-2020-26549 affects Aviatrix Controller prior to R5.4.1290. The vulnerability arises from an htaccess protection mechanism that prevents requests to directories, which can be bypassed to download files beyond a user’s rights. Documented impact in CNVD/NVD entries: an attacker could download re...
chromium-browser: Multiple file download protection bypass
Insufficient filtering in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass multiple file download protection via a crafted HTML page...
Google Chrome < 50.0.2661.75 Multiple Vulnerabilities
Binary data 9369.pasl...
CVE-2005-0145
Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature...
CVE-2005-0145
Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature...
CVE-2004-1331
The execCommand method in Microsoft Internet Explorer 6.0 SP2 allows remote attackers to bypass the "File Download - Security Warning" dialog and save arbitrary files with arbitrary extensions via the SaveAs command...