CVE-2018-25164 PUBLISHED

EverSync 0.5 Arbitrary File Download via files Directory

Assigner: VulnCheck
Reserved: 06.03.2026 Published: 06.03.2026 Updated: 06.03.2026

EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers to access sensitive files by requesting them directly from the files directory. Attackers can send GET requests to the files directory to download database files like db.sq3 containing application data and credentials.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Phpmassmail
Product EverSync
Versions
  • Version 0.5 is affected

Credits

  • Ihsan Sencan finder

References

Problem Types

  • Files or Directories Accessible to External Parties CWE