CVE-2017-15956
published 2017-10-29CVE-2017-15956: ConverTo Video Downloader & Converter 1.4.1 allows Arbitrary File Download via the token parameter to download.php.
PriorityP354high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
4.66%
90.6th percentile
ConverTo Video Downloader & Converter 1.4.1 allows Arbitrary File Download via the token parameter to download.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| converto_video_downloader_converter_project | converto_video_downloader_converter | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to download.php containing a 'token' parameter; the token value is a Base64-encoded filename used to traverse and download arbitrary files from the server. ↗
- →Alert on requests to download.php where the 'mime' parameter is set to unexpected MIME types (e.g., text/plain, application/octet-stream) rather than legitimate video types, which may indicate an attacker attempting to exfiltrate non-video files. ↗
- →Decode Base64 values in the 'token' query parameter on requests to download.php; decoded values resolving to sensitive paths (e.g., /etc/passwd, config files) indicate active exploitation. ↗
- ·The vulnerable endpoint is download.php within the ConverTo application path; the exact web root path ([PATH]) is installation-dependent and must be adjusted in detection rules accordingly. ↗
- ·This vulnerability affects specifically version 1.4.1 of ConverTo Video Downloader & Converter; detections should be scoped to installations running this version. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-10-29
Published