Responsivefilemanager
by Trippo
Source repositories
CVEs (19)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-14728 | Cri | 0.73 | 9.8 | 0.77 | Aug 3, 2018 | upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter. | ||
| CVE-2020-10212 | Cri | 0.64 | 9.8 | 0.01 | Mar 7, 2020 | upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. For example, an SSRF attempt may succeed if a .ico filename… | ||
| CVE-2026-5482 | Cri | 0.60 | — | 0.00 | Jun 15, 2026 | Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in… | ||
| CVE-2018-18867 | Hig | 0.56 | 8.6 | 0.01 | Oct 31, 2018 | An SSRF issue was discovered in tecrail Responsive FileManager 9.13.4 via the upload.php url parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-15495. | ||
| CVE-2022-46604 | Hig | 0.54 | 8.8 | 0.09 | Feb 2, 2023 | An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution. | ||
| CVE-2026-37266 | Hig | 0.52 | 8.0 | 0.00 | May 28, 2026 | An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component | ||
| CVE-2018-20795 | Hig | 0.49 | 7.5 | 0.03 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary files via path traversal with the path parameter, through the copy_cut action in ajax_calls.php and the paste_clipboard action in execute.php. | ||
| CVE-2018-20794 | Hig | 0.49 | 7.5 | 0.04 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary image file (jpg/jpeg/png) via path traversal with the path parameter, through the save_img action in ajax_calls.php. | ||
| CVE-2018-20793 | Hig | 0.49 | 7.5 | 0.05 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass, through the create_file action in execute.php. | ||
| CVE-2018-20792 | Hig | 0.49 | 7.5 | 0.03 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary file via path traversal with the path parameter, through the get_file action in ajax_calls.php. | ||
| CVE-2018-20790 | Hig | 0.49 | 7.5 | 0.04 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass through the delete_file action in execute.php. | ||
| CVE-2018-20789 | Hig | 0.49 | 7.5 | 0.04 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary directory as a consequence of a paths[0] path traversal mitigation bypass through the delete_folder action in execute.php. | ||
| CVE-2018-18061 | Hig | 0.49 | 7.5 | 0.01 | Oct 10, 2018 | An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. Attackers can access the file manager interface that provides them with the ability to upload and delete files. | ||
| CVE-2018-15535 | Hig | 0.48 | 7.5 | 0.45 | Aug 24, 2018 | /filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is… | ||
| CVE-2018-15495 | Hig | 0.42 | 7.5 | 0.02 | Aug 18, 2018 | /filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value. | ||
| CVE-2024-50807 | Med | 0.40 | 6.1 | 0.00 | Jan 10, 2025 | Trippo Responsive Filemanager 9.14.0 is vulnerable to Cross Site Scripting (XSS) via file upload using the svg and pdf extensions. | ||
| CVE-2018-20791 | Med | 0.40 | 6.1 | 0.01 | Feb 25, 2019 | tecrail Responsive FileManager 9.13.4 allows XSS via a media file upload with an XSS payload in the name, because of mishandling of the media_preview action. | ||
| CVE-2021-31711 | Med | 0.35 | 5.4 | 0.00 | May 9, 2023 | Cross Site Scripting vulnerability found in Trippo ResponsiveFilemanager v.9.14.0 and before allows a remote attacker to execute arbitrary code via the sort_by parameter in the dialog.php file. | ||
| CVE-2018-15536 | Med | 0.32 | 5.5 | 0.06 | Aug 24, 2018 | /filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 does not properly validate file paths in archives, allowing for the extraction of crafted archives to overwrite arbitrary files via an extract action, aka Directory Traversal. |
- risk 0.73cvss 9.8epss 0.77
upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter.
- risk 0.64cvss 9.8epss 0.01
upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. For example, an SSRF attempt may succeed if a .ico filename…
- risk 0.60cvss —epss 0.00
Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in…
- risk 0.56cvss 8.6epss 0.01
An SSRF issue was discovered in tecrail Responsive FileManager 9.13.4 via the upload.php url parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-15495.
- risk 0.54cvss 8.8epss 0.09
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.
- risk 0.52cvss 8.0epss 0.00
An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component
- risk 0.49cvss 7.5epss 0.03
tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary files via path traversal with the path parameter, through the copy_cut action in ajax_calls.php and the paste_clipboard action in execute.php.
- risk 0.49cvss 7.5epss 0.04
tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary image file (jpg/jpeg/png) via path traversal with the path parameter, through the save_img action in ajax_calls.php.
- risk 0.49cvss 7.5epss 0.05
tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass, through the create_file action in execute.php.
- risk 0.49cvss 7.5epss 0.03
tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary file via path traversal with the path parameter, through the get_file action in ajax_calls.php.
- risk 0.49cvss 7.5epss 0.04
tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass through the delete_file action in execute.php.
- risk 0.49cvss 7.5epss 0.04
tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary directory as a consequence of a paths[0] path traversal mitigation bypass through the delete_folder action in execute.php.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. Attackers can access the file manager interface that provides them with the ability to upload and delete files.
- risk 0.48cvss 7.5epss 0.45
/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is…
- risk 0.42cvss 7.5epss 0.02
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.
- risk 0.40cvss 6.1epss 0.00
Trippo Responsive Filemanager 9.14.0 is vulnerable to Cross Site Scripting (XSS) via file upload using the svg and pdf extensions.
- risk 0.40cvss 6.1epss 0.01
tecrail Responsive FileManager 9.13.4 allows XSS via a media file upload with an XSS payload in the name, because of mishandling of the media_preview action.
- risk 0.35cvss 5.4epss 0.00
Cross Site Scripting vulnerability found in Trippo ResponsiveFilemanager v.9.14.0 and before allows a remote attacker to execute arbitrary code via the sort_by parameter in the dialog.php file.
- risk 0.32cvss 5.5epss 0.06
/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 does not properly validate file paths in archives, allowing for the extraction of crafted archives to overwrite arbitrary files via an extract action, aka Directory Traversal.