| 标题 | PublicCMS V5.202506.d Anonymous Private File Download |
|---|
| 描述 | PublicCMS uses a predictable default privatefile_key to protect private file download URLs. Because the key can be derived from known values and the cluster identifier is exposed through an anonymous API, attackers can forge valid signatures offline and download private files without authentication once a file path is known. This results in a real unauthorized data disclosure vulnerability.
|
|---|
| 来源 | ⚠️ https://vulnplus-note.wetolink.com/share/PCVUlOncmwTC |
|---|
| 用户 | vulnplusbot (UID 96250) |
|---|
| 提交 | 2026-04-22 10時52分 (1 月前) |
|---|
| 管理 | 2026-05-16 12時36分 (24 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 364327 [Sanluan PublicCMS 5.202506.d SafeConfigComponent.java getSignKey privatefile_key 弱加密] |
|---|
| 积分 | 20 |
|---|