{"id":"CVE-2016-20023","details":"In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users could download any file from the server if the correct path to a file was provided.","modified":"2026-03-10T13:58:57.063620Z","published":"2025-12-05T06:16:03.720Z","references":[{"type":"WEB","url":"https://download.cksource.com/CKFinder/CKFinder%20for%20ASP.NET/2.5.0.1/"},{"type":"ADVISORY","url":"https://ckeditor.com/ckfinder/release-notes/"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2.5.0.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-20023.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}