This vulnerability was discovered and researched by Julien Ahrens from RCE Security. Since the application follows HTTP 301 redirects, an attacker who controls the target HTTP server is able to send arbitrary long filename values to exploit this flaw.
Read RCE Security Full Disclosure here – http://www.rcesecurity.com/2014/03/cve-2014-2087-free-download-manager-cdownloads_deleted-updatedownload-remote-code-execution/