header-logo
Suggest Exploit
vendor:
Vana CMS
by:
Unknown
6.5
CVSS
MEDIUM
Arbitrary File Download
22
CWE
Product Name: Vana CMS
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:vana_cms
Metasploit:
Other Scripts:
Platforms Tested: Unknown
2021

Arbitrary File Download in Vana CMS

The vulnerability in Vana CMS allows attackers to download arbitrary files by exploiting the application's failure to properly sanitize user-supplied input. By manipulating the 'filename' parameter in the 'download.php' script, an attacker can view arbitrary files within the application's context, potentially gathering sensitive information that can be used for further attacks.

Mitigation:

To mitigate this vulnerability, the Vana CMS developers should implement proper input sanitization and validation techniques. Additionally, access controls should be implemented to restrict unauthorized file downloads.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/39415/info

Vana CMS is prone to a vulnerability that lets attackers download arbitrary files. The issue occurs because the application fails to sufficiently sanitize user-supplied input.

Exploiting this issue will allow an attacker to view arbitrary files within the context of the application. Information harvested may aid in launching further attacks 

http://www.example.com/download.php?filename=File.php

Navigation

Suggest Exploit

Services By CQR