Primary

Context

MineAdmin Information Disclosure Vulnerability in downloadById Function

Vulnerability

A vulnerability allowing arbitrary file download has been identified in MineAdmin versions 1.x and 2.x. This issue arises in the downloadById function, where manipulating the ID parameter can lead to unauthorized access to sensitive information. The vulnerability can be exploited remotely, and while the exploitation is considered complex, a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive information, as the vulnerability involves arbitrary file download.

Reproduction

To reproduce this vulnerability, send a GET request to the /system/downloadById endpoint with an ID parameter. The ID should be an auto-incrementing number, which can be enumerated to download multiple files in bulk.

Remediation

It is recommended to strengthen permission validation at the system/downloadById interface.

Added: Jan 20, 2026, 1:24 AM

Updated: Jan 20, 2026, 1:24 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.0

remediation

0.0

relevance

2.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.0

remediation

0.0

relevance

2.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MineAdmin Information Disclosure Vulnerability in downloadById Function

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating