CVE-2020-14946

MEDIUM

Global RADAR BSA Radar <1.6.7234.24750 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-14946. PoCs published by William Summerhill.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in BSA Radar 1.6.7234.24750 and lower. By manipulating the FileName parameter in the /UC/downloadFile.ashx endpoint, an authenticated attacker can read arbitrary files on the server.

Description

downloadFile.ashx in the Administrator section of the Surveillance module in Global RADAR BSA Radar 1.6.7234.24750 and earlier allows users to download transaction files. When downloading the files, a user is able to view local files on the web server by manipulating the FileName and FilePath parameters in the URL, or while using a proxy. This vulnerability could be used to view local sensitive files or configuration files.

Exploits (1)

exploitdb WORKING POC
by William Summerhill · textwebappsmultiple
https://www.exploit-db.com/exploits/48666

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in BSA Radar 1.6.7234.24750 and lower. By manipulating the FileName parameter in the /UC/downloadFile.ashx endpoint, an authenticated attacker can read arbitrary files on the server.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: BSA Radar - Version 1.6.7234.24750 and lower
Auth required
Prerequisites: Valid user privileges to access the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 4.3
EPSS 0.0770
EPSS Percentile 93.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-22
Status published
Products (1)
globalradar/bsa_radar < 1.6.7234.24750
Published Jun 22, 2020
Tracked Since Feb 18, 2026