CVE-2020-10567

CRITICAL

Responsive Filemanager <9.14.0 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-10567. PoCs published by PierreAdams.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-10567, which targets RESPONSIVE filemanager v.9.14.0. The exploit leverages improper input validation in ajax_calls.php?action=save_img to upload a malicious PHP file, achieving remote code execution.

Description

An issue was discovered in Responsive Filemanager through 9.14.0. In the ajax_calls.php file in the save_img action in the name parameter, there is no validation of what kind of extension is sent. This makes it possible to execute PHP code if a legitimate JPEG image contains this code in the EXIF data, and the .php extension is used in the name parameter. (A potential fast patch is to disable the save_img action in the config file.)

Exploits (2)

nomisec WORKING POC 4 stars

by PierreAdams · poc

https://github.com/PierreAdams/CVE-2020-10567

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-10567, which targets RESPONSIVE filemanager v.9.14.0. The exploit leverages improper input validation in ajax_calls.php?action=save_img to upload a malicious PHP file, achieving remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: RESPONSIVE filemanager v.9.14.0

No auth needed

Prerequisites: Target URL · Command to execute

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 09, 2026 Full analysis →

nomisec WORKING POC

by PierreAdams · poc

https://github.com/PierreAdams/POC-CVE-2020-10567

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-10567, targeting RESPONSIVE filemanager v9.14.0. The exploit leverages improper input validation in ajax_calls.php?action=save_img to upload a malicious PHP file, achieving remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: RESPONSIVE filemanager v9.14.0

No auth needed

Prerequisites: Target URL · Command to execute

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/trippo/ResponsiveFilemanager/issues/600

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171280/ZwiiCMS-12.2.04-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.1929

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (1)

tecrail/responsive_filemanager < 9.14.0

Published Mar 14, 2020

Tracked Since Feb 18, 2026