Lucene search
Johan KragtWPEX-ID:3802D15D-9BFD-4762-AB8A-04475451868EHistoryMay 08, 2023 - 12:00 a.m.
Download Manager < 3.2.71 - Broken Access Controls
2023-05-0800:00:00
Johan Kragt
99
password protection
access control
security exploit
download manager
EPSS
0.001
Percentile
29.8%
The plugin does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file’s password.
- Create two password protected files with different passwords. Note the post ID for each file.
- Navigate to the download page for one of the files. E.g. `<host>/download/password_protected_file_1/`
- Click the "Download" button and enter the password.
- The modal will have a new Download button. Click this one, and intercept the request.
- Change the `wpdmdl` URL parameter to the ID of the other file.
- See that the other file is downloaded without using its password.Related
openvas
openvas
cve
cve
CVE-2023-1524
2023-05-30 08:15:09
prion
prion
Default credentials
2023-05-30 08:15:00
wpvulndb
wpvulndb
Download Manager < 3.2.71 - Broken Access Controls
2023-05-08 00:00:00
nvd
nvd
CVE-2023-1524
2023-05-30 08:15:09
cvelist
cvelist
CVE-2023-1524 Download Manager < 3.2.71 - Broken Access Controls
2023-05-30 07:49:11
wordfence
wordfence