cbcvebase.
CVE-2023-27179
published 2023-04-11

CVE-2023-27179: GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php.

PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
60.79%
99.0th percentile
GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
gdideesgdidees_cms<= 3.9.1

Detection & IOCsextracted from sources · hover to see the quote

path/_admin/imgdownload.php
url/_admin/imgdownload.php?filename=../../../../../../etc/passwd
url/_admin/imgdownload.php?filename=../../../../../etc/passwd
url/_admin/imgdownload.php?filename=imgdownload.php
  • Look for HTTP GET requests to /_admin/imgdownload.php with a 'filename' parameter containing path traversal sequences (e.g., '../') indicating directory traversal exploitation.
  • Detect responses with Content-Type 'application/force-download' from /_admin/imgdownload.php, which indicates a file is being served via the vulnerable endpoint.
  • Confirm exploitation by checking response body for the strings '$filename=$_GET["filename"];' and '@readfile($filename) OR die();', indicating the PHP source of the vulnerable file was disclosed.
  • No admin session check is present in imgdownload.php, so unauthenticated requests to the endpoint with a filename parameter should be treated as suspicious.
  • ·The vulnerability is unauthenticated — no session validation is enforced before file download, meaning any remote attacker can exploit it without credentials.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.