CVE-2019-25582 HIGH

CVE-2019-25582: i-doit CMDB 1.12 Arbitrary File Download via file_manager Parameter

Vendor I-Doit
Product doit CMDB
Weakness CWE-434 · Unrestricted file upload
Published March 21, 2026
Last update March 24, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

i-doit CMDB 1.12 contains an arbitrary file download vulnerability that allows authenticated attackers to download sensitive files by manipulating the file parameter in index.php. Attackers can send GET requests to index.php with file_manager=image and supply arbitrary file paths like src/config.inc.php to retrieve configuration files and sensitive system data.

Key dates

02Disclosure timeline

March 21, 2026 CVE published
March 24, 2026 Record updated