CVE-2018-20792

HIGH

tecrail Responsive FileManager 9.13.4 - Path Traversal via Path Parameter in get_file Action

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20792. PoCs published by Fariskhi Vidyan.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Responsive FileManager 9.13.4, including arbitrary file read, write, and deletion via path traversal, as well as persistent XSS. It provides functional cURL commands to exploit these vulnerabilities.

Description

tecrail Responsive FileManager 9.13.4 allows remote attackers to read arbitrary file via path traversal with the path parameter, through the get_file action in ajax_calls.php.

Exploits (1)

exploitdb WORKING POC

by Fariskhi Vidyan · textwebappsphp

https://www.exploit-db.com/exploits/45987

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in Responsive FileManager 9.13.4, including arbitrary file read, write, and deletion via path traversal, as well as persistent XSS. It provides functional cURL commands to exploit these vulnerabilities.

Classification

Working Poc 100%

Attack Type

Info Leak | Xss | Other

Complexity

Trivial

Reliability

Reliable

Target: Responsive FileManager 9.13.4

Auth required

Prerequisites: Valid PHPSESSID cookie · Access to the target application

MITRE ATT&CK

T1005 - Data from Local System T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45987

Scores

CVSS v3 7.5

EPSS 0.0346

EPSS Percentile 87.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

tecrail/responsive_filemanager 9.13.4

Published Feb 25, 2019

Tracked Since Feb 18, 2026