CVE-2019-19731

HIGH

Roxy Fileman 1.4.5 - Path Traversal

Title source: llm

Description

Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal. A remote attacker can write uploaded files to arbitrary locations via the RENAMEFILE action. This can be leveraged for code execution by uploading a specially crafted Windows shortcut file and writing the file to the Startup folder (because an incomplete blacklist of file extensions allows Windows shortcut files to be uploaded).

Exploits (1)

exploitdb WORKING POC

by Patrik Lantz · textwebappsaspx

https://www.exploit-db.com/exploits/47777

View Code ZIP pw:eip

References (2)

[Release Notes] http://www.roxyfileman.com/download

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/155666/Roxy-Fileman-1.4.5-For-.NET-Directory-Traversal.html

Scores

CVSS v3 7.5

EPSS 0.2536

EPSS Percentile 96.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (1)

roxyfileman/roxy_fileman 1.4.5

Published Dec 16, 2019

Tracked Since Feb 18, 2026