VYPR

Responsivefilemanager

by Trippo

Source repositories

CVEs (19)

  • CVE-2018-14728CriAug 3, 2018
    risk 0.73cvss 9.8epss 0.77

    upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter.

  • CVE-2020-10212CriMar 7, 2020
    risk 0.64cvss 9.8epss 0.01

    upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. For example, an SSRF attempt may succeed if a .ico filename…

  • CVE-2026-5482CriJun 15, 2026
    risk 0.60cvss epss 0.00

    Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution.  This project is unmaintained at the time of CVE assignment. The vulnerability was found in…

  • CVE-2018-18867HigOct 31, 2018
    risk 0.56cvss 8.6epss 0.01

    An SSRF issue was discovered in tecrail Responsive FileManager 9.13.4 via the upload.php url parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-15495.

  • CVE-2022-46604HigFeb 2, 2023
    risk 0.54cvss 8.8epss 0.09

    An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.

  • CVE-2026-37266HigMay 28, 2026
    risk 0.52cvss 8.0epss 0.00

    An issue in Responsive File Manager Responsive FileManager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component

  • CVE-2018-20795HigFeb 25, 2019
    risk 0.49cvss 7.5epss 0.03

    tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary files via path traversal with the path parameter, through the copy_cut action in ajax_calls.php and the paste_clipboard action in execute.php.

  • CVE-2018-20794HigFeb 25, 2019
    risk 0.49cvss 7.5epss 0.04

    tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary image file (jpg/jpeg/png) via path traversal with the path parameter, through the save_img action in ajax_calls.php.

  • CVE-2018-20793HigFeb 25, 2019
    risk 0.49cvss 7.5epss 0.05

    tecrail Responsive FileManager 9.13.4 allows remote attackers to write to an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass, through the create_file action in execute.php.

  • CVE-2018-20792HigFeb 25, 2019
    risk 0.49cvss 7.5epss 0.03

    tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary file via path traversal with the path parameter, through the get_file action in ajax_calls.php.

  • CVE-2018-20790HigFeb 25, 2019
    risk 0.49cvss 7.5epss 0.04

    tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass through the delete_file action in execute.php.

  • CVE-2018-20789HigFeb 25, 2019
    risk 0.49cvss 7.5epss 0.04

    tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary directory as a consequence of a paths[0] path traversal mitigation bypass through the delete_folder action in execute.php.

  • CVE-2018-18061HigOct 10, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in dialog.php in tecrail Responsive FileManager 9.8.1. Attackers can access the file manager interface that provides them with the ability to upload and delete files.

  • CVE-2018-15535HigAug 24, 2018
    risk 0.48cvss 7.5epss 0.45

    /filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is…

  • CVE-2018-15495HigAug 18, 2018
    risk 0.42cvss 7.5epss 0.02

    /filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.

  • CVE-2024-50807MedJan 10, 2025
    risk 0.40cvss 6.1epss 0.00

    Trippo Responsive Filemanager 9.14.0 is vulnerable to Cross Site Scripting (XSS) via file upload using the svg and pdf extensions.

  • CVE-2018-20791MedFeb 25, 2019
    risk 0.40cvss 6.1epss 0.01

    tecrail Responsive FileManager 9.13.4 allows XSS via a media file upload with an XSS payload in the name, because of mishandling of the media_preview action.

  • CVE-2021-31711MedMay 9, 2023
    risk 0.35cvss 5.4epss 0.00

    Cross Site Scripting vulnerability found in Trippo ResponsiveFilemanager v.9.14.0 and before allows a remote attacker to execute arbitrary code via the sort_by parameter in the dialog.php file.

  • CVE-2018-15536MedAug 24, 2018
    risk 0.32cvss 5.5epss 0.06

    /filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 does not properly validate file paths in archives, allowing for the extraction of crafted archives to overwrite arbitrary files via an extract action, aka Directory Traversal.