CVE-2020-36988

MEDIUM

PDW File Browser < 1.3 - Authenticated Stored and Reflected Cross-Site Scripting via File Rename and Path Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36988. PoCs published by David Bimmel.

AI-analyzed exploit summary The exploit describes stored and reflected XSS vulnerabilities in PDW File Browser <= v1.3 due to insufficient input sanitization. The stored XSS occurs in the 'rename' functionality, while the reflected XSS is triggered via the 'path' parameter in file_specs.php.

Description

PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims' browsers when they access the file browser.

Exploits (1)

exploitdb WRITEUP

by David Bimmel · textwebappsphp

https://www.exploit-db.com/exploits/48947

View Code ZIP pw:eip

The exploit describes stored and reflected XSS vulnerabilities in PDW File Browser <= v1.3 due to insufficient input sanitization. The stored XSS occurs in the 'rename' functionality, while the reflected XSS is triggered via the 'path' parameter in file_specs.php.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: PDW File Browser <= v1.3

Auth required

Prerequisites: Authenticated user access · Victim interaction (e.g., phishing or visiting a crafted URL)

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/48947

Various Sources product

https://github.com/GuidoNeele/PDW-File-Browser

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/pdw-file-browser-cross-site-scripting-xss

Scores

CVSS v3 5.4

EPSS 0.0021

EPSS Percentile 10.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

GuidoNeele/PDW File Browser < 1.3

Published Jan 28, 2026

Tracked Since Feb 18, 2026