I might be wrong here, so please sorry if this is a mistake. In Admin DownloadController.cs there is a method to download files by id which is really unsecured.
At the moment we only have the attribute: [AdminAuthorize] which will also give access to Vendord to download any file.
There should be a way to validate that this method should only be accessed by users in the Role Administrator.