Allen Disk Project : Security Vulnerabilities, CVEs,
SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remote authenticated users to conduct port scans and access intranet servers via a crafted file parameter.
Max CVSS
6.5
EPSS Score
0.13%
Published
2017-05-31
Updated
2017-06-09
Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remote authenticated users to inject arbitrary web script or HTML persistently by uploading a crafted HTML file. The attack vector is the content of this file, and the filename must be specified in the PATH_INFO to readfile.php.
Max CVSS
5.4
EPSS Score
0.07%
Published
2017-05-28
Updated
2020-03-02
/admin/loginc.php in Allen Disk 1.6 doesn't check if isset($_SESSION['captcha']['code']) == 1, which leads to CAPTCHA bypass by emptying $_POST['captcha'].
Max CVSS
7.5
EPSS Score
0.07%
Published
2017-05-19
Updated
2020-03-02
reg.php in Allen Disk 1.6 doesn't check if isset($_SESSION['captcha']['code'])==1, which makes it possible to bypass the CAPTCHA via an empty $_POST['captcha'].
Max CVSS
7.5
EPSS Score
0.07%
Published
2017-05-19
Updated
2020-03-02
Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password.
Max CVSS
6.5
EPSS Score
0.05%
Published
2017-05-08
Updated
2020-03-02
Allen Disk 1.6 has XSS in the id parameter to downfile.php.
Max CVSS
6.1
EPSS Score
0.08%
Published
2017-05-08
Updated
2020-03-02
6 vulnerabilities found