CVE-2018-20790

HIGH

tecrail Responsive FileManager 9.13.4 - Path Traversal and Arbitrary File Deletion via paths[0] Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20790. PoCs published by Fariskhi Vidyan.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Responsive FileManager 9.13.4, including arbitrary file read, write, and deletion via path traversal, as well as persistent XSS. It provides functional cURL commands to exploit these vulnerabilities.

Description

tecrail Responsive FileManager 9.13.4 allows remote attackers to delete an arbitrary file as a consequence of a paths[0] path traversal mitigation bypass through the delete_file action in execute.php.

Exploits (1)

exploitdb WORKING POC

by Fariskhi Vidyan · textwebappsphp

https://www.exploit-db.com/exploits/45987

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in Responsive FileManager 9.13.4, including arbitrary file read, write, and deletion via path traversal, as well as persistent XSS. It provides functional cURL commands to exploit these vulnerabilities.

Classification

Working Poc 100%

Attack Type

Info Leak | Xss | Other

Complexity

Trivial

Reliability

Reliable

Target: Responsive FileManager 9.13.4

Auth required

Prerequisites: Valid PHPSESSID cookie · Access to the target application

MITRE ATT&CK

T1005 - Data from Local System T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45987

Scores

CVSS v3 7.5

EPSS 0.0363

EPSS Percentile 88.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (1)

tecrail/responsive_filemanager 9.13.4

Published Feb 25, 2019

Tracked Since Feb 18, 2026