CVE-2023-1524
published 2023-05-30CVE-2023-1524: The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.74%
49.9th percentile
The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| w3eden | download_manager | < 3.2.71 | 3.2.71 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mxx9-mm8m-9wm6: The Download Manager WordPress plugin before 3
ghsa_unreviewed·2023-05-30
CVE-2023-1524 [MEDIUM] CWE-284 GHSA-mxx9-mm8m-9wm6: The Download Manager WordPress plugin before 3
The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password.
Red Hat
kernel: Kernel: Denial of Service via ubifs memory leak
vendor_redhat·2025-09-16·CVSS 5.5
CVE-2023-53276 [MEDIUM] CWE-772 kernel: Kernel: Denial of Service via ubifs memory leak
kernel: Kernel: Denial of Service via ubifs memory leak
In the Linux kernel, the following vulnerability has been resolved:
ubifs: Free memory for tmpfile name
When opening a ubifs tmpfile on an encrypted directory, function
fscrypt_setup_filename allocates memory for the name that is to be
stored in the directory entry, but after the name has been copied to the
directory entry inode, the memory is not freed.
When running kmemleak on it we see that it is registered as a leak. The
report below is triggered by a simple program 'tmpfile' just opening a
tmpfile:
unreferenced object 0xffff88810178f380 (size 32):
comm "tmpfile", pid 509, jiffies 4294934744 (age 1524.742s)
backtrace:
__kmem_cache_alloc_node
__kmalloc
fscrypt_setup_filename
ubifs_tmpfile
vfs_tmpfile
path_openat
Free this memory a
No detection rules found.
No public exploits indexed.
2023-05-30
Published