Allen Disk Project : Security Vulnerabilities, CVEs,

CVE-2017-9307

SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remote authenticated users to conduct port scans and access intranet servers via a crafted file parameter.
Max CVSS
6.5
EPSS Score
0.13%
Published
2017-05-31
Updated
2017-06-09

CVE-2017-9249

Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remote authenticated users to inject arbitrary web script or HTML persistently by uploading a crafted HTML file. The attack vector is the content of this file, and the filename must be specified in the PATH_INFO to readfile.php.
Max CVSS
5.4
EPSS Score
0.07%
Published
2017-05-28
Updated
2020-03-02

CVE-2017-9091

/admin/loginc.php in Allen Disk 1.6 doesn't check if isset($_SESSION['captcha']['code']) == 1, which leads to CAPTCHA bypass by emptying $_POST['captcha'].
Max CVSS
7.5
EPSS Score
0.07%
Published
2017-05-19
Updated
2020-03-02

CVE-2017-9090

reg.php in Allen Disk 1.6 doesn't check if isset($_SESSION['captcha']['code'])==1, which makes it possible to bypass the CAPTCHA via an empty $_POST['captcha'].
Max CVSS
7.5
EPSS Score
0.07%
Published
2017-05-19
Updated
2020-03-02

CVE-2017-8848

Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password.
Max CVSS
6.5
EPSS Score
0.05%
Published
2017-05-08
Updated
2020-03-02

CVE-2017-8832

Allen Disk 1.6 has XSS in the id parameter to downfile.php.
Max CVSS
6.1
EPSS Score
0.08%
Published
2017-05-08
Updated
2020-03-02
6 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close