3.1 CVE-2025-52996

Exploit
 

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected sharing of a file through a direct download link. This link can either be shared unknowingly by a user or discovered from various locations such as the browser history or the log of a proxy server used. At time of publication, no known patched versions are available.
https://nvd.nist.gov/vuln/detail/CVE-2025-52996

Categories

CWE-305 : Authentication Bypass by Primary Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. The provided password is only compared against the first character of the real password. The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password. Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges.

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:* <= 2.32.0

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x...

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry