• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. For example, an SSRF attempt may succeed if a .ico filename is added to the PATH_INFO. Also, an attacker could create a DNS hostname that resolves to the IP address for DNS pinning. NOTE: this issue exists because of an incomplete fix for CVE-2018-14728.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation
Date Record Created
20200306 Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20200306)
Votes (Legacy)
Comments (Legacy)
Proposed (Legacy)
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.