CVE-2019-25582

MEDIUM

i-doit CMDB 1.12 Arbitrary File Download via file_manager Parameter

Title source: cna

Description

i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Attackers can send GET requests to index.php with file_manager=image and supply arbitrary file paths like src/config.inc.php to retrieve configuration files and sensitive system data.

Exploits (1)

exploitdb WORKING POC

by Ihsan Sencan · textwebappsphp

https://www.exploit-db.com/exploits/46133

View Code ZIP pw:eip

References (4)

[Exploit] https://www.exploit-db.com/exploits/46133

[Product] https://www.i-doit.org/

[Product] https://netcologne.dl.sourceforge.net/project/i-doit/i-doit/1.12/idoit-open-1.12.zip

[Third Party Advisory] https://www.vulncheck.com/advisories/i-doit-cmdb-arbitrary-file-download-via-file-manager-parameter

Scores

CVSS v3 6.5

EPSS 0.0007

EPSS Percentile 21.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-434

Status published

Products (2)

I-Doit/doit CMDB 1.12

i-doit/i-doit 1.12

Published Mar 21, 2026

Tracked Since Mar 21, 2026