Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-xb4q-p8c8-5bgc
SummaryFileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise’s file/folder handling allows low-privilege users to perform unauthorized operations (view/delete/modify) on files created by other users. The root cause was inferring ownership/visibility from folder names (e.g., a folder named after a username) and missing server-side authorization/ownership checks across file operation endpoints. This amounted to an IDOR pattern: an attacker could operate on resources identified only by predictable names. This issue has been patched in version 1.4.0 and further hardened in version 1.5.0. A workaround for this issue involves restricting non-admin users to read-only or disable delete/rename APIs server-side, avoid creating top-level folders named after other usernames, and adding server-side checks that verify ownership before delete/rename/move.
Aliases
0
alias CVE-2025-62509
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-62509
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12686
published_at 2026-06-11T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12766
published_at 2026-06-14T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12785
published_at 2026-06-13T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12776
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-62509
1
reference_url https://github.com/error311/FileRise/commit/25ce6a76beb60950359c0304765ad91a8aff8ad8
reference_id 25ce6a76beb60950359c0304765ad91a8aff8ad8
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-20T18:05:40Z/
url https://github.com/error311/FileRise/commit/25ce6a76beb60950359c0304765ad91a8aff8ad8
2
reference_url https://github.com/error311/FileRise/issues/53
reference_id 53
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-20T18:05:40Z/
url https://github.com/error311/FileRise/issues/53
3
reference_url https://github.com/error311/FileRise/security/advisories/GHSA-6p87-q9rh-95wh
reference_id GHSA-6p87-q9rh-95wh
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-20T18:05:40Z/
url https://github.com/error311/FileRise/security/advisories/GHSA-6p87-q9rh-95wh
Weaknesses
0
cwe_id 280
name Improper Handling of Insufficient Permissions or Privileges
description The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
1
cwe_id 284
name Improper Access Control
description The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Exploits
Severity_range_score8.1 - 8.1
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-xb4q-p8c8-5bgc