CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2020-10212
https://notcve.org/view.php?id=CVE-2020-10212
upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. For example, an SSRF attempt may succeed if a .ico filename is added to the PATH_INFO. Also, an attacker could create a DNS hostname that resolves to the 0.0.0.0 IP address for DNS pinning. NOTE: this issue exists because of an incomplete fix for CVE-2018-14728. El archivo upload.php en Responsive FileManager versiones 9.13.4 y 9.14.0, permite un ataque de tipo SSRF por medio del parámetro url porque el bloqueo de la extensión de archivo se maneja inapropiadamente y porque es posible que un nombre de host DNS se resuelva en una dirección IP interna. • https://github.com/trippo/ResponsiveFilemanager/issues/598 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 1CVE-2018-20792
https://notcve.org/view.php?id=CVE-2018-20792
tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary file via path traversal with the path parameter, through the get_file action in ajax_calls.php. tecrail Responsive FileManager 9.13.4 permite que los atacantes remotos lean archivos arbitrarios mediante un salto de directorio con el parámetro "path" mediante la acción get_file en ajax_calls.php. • https://www.exploit-db.com/exploits/45987 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20790
https://notcve.org/view.php?id=CVE-2018-20790
tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass through the delete_file action in execute.php. tecrail Responsive FileManager 9.13.4 permite que los atacantes remotos eliminen un archivo arbitrario como consecuencia de una omisión de la mitigación del salto de directorio de paths[0] mediante la acción delete_file en execute.php. • https://www.exploit-db.com/exploits/45987 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 1CVE-2018-20795
https://notcve.org/view.php?id=CVE-2018-20795
tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary files via path traversal with the path parameter, through the copy_cut action in ajax_calls.php and the paste_clipboard action in execute.php. tecrail Responsive FileManager 9.13.4 permite que los atacantes remotos lean archivos arbitrarios mediante un salto de directorio con el parámetro "path" mediante la acción copy_cut en ajax_calls.php y la acción paste_clipboard en execute.php. • https://www.exploit-db.com/exploits/45987 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20789
https://notcve.org/view.php?id=CVE-2018-20789
tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary directory as a consequence of a paths[0] path traversal mitigation bypass through the delete_folder action in execute.php. tecrail Responsive FileManager 9.13.4 permite que los atacantes remotos eliminen un directorio arbitrario como consecuencia de una omisión de la mitigación del salto de directorio de paths[0] mediante la acción delete_folder en execute.php. • https://www.exploit-db.com/exploits/45987 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •