This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Arbitrary File Download in GDidees CMS. <br>π₯ **Consequences**: Attackers can download sensitive files from the server, leading to data leakage and potential system compromise.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: Unrestricted File Download. <br>π **Flaw**: The `filename` parameter in `/_admin/imgdownload.php` is not properly sanitized, allowing path traversal or direct file access.
Q3Who is affected? (Versions/Components)
π₯ **Affected**: GDidees CMS. <br>π¦ **Versions**: v3.9.1 and all lower versions. <br>π’ **Vendor**: GDidees Company.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Actions**: Download arbitrary files. <br>π **Data Risk**: Access to configuration files, source code, or sensitive user data stored on the server.
Q5Is exploitation threshold high? (Auth/Config)
β οΈ **Threshold**: Likely Low to Medium. <br>π **Auth**: The endpoint is under `/_admin/`, suggesting admin access might be required, but the flaw is in the parameter handling itself.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exp?**: Yes. <br>π **PoC**: Available via Nuclei templates and PacketStorm. <br>π **Wild Exp**: Active exploitation tools exist.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for `/_admin/imgdownload.php`. <br>π§ͺ **Test**: Inject path traversal characters (`../`) into the `filename` parameter to see if sensitive files are returned.
π§ **No Patch?**: Implement WAF rules to block requests to `/_admin/imgdownload.php` with suspicious `filename` parameters. <br>π **Mitigation**: Restrict access to the admin directory via IP whitelisting.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: High. <br>π **Priority**: Patch immediately. <br>β³ **Reason**: Public PoCs are available, making exploitation easy for attackers.