CVE-2019-19731

Name of the Vulnerable Software and Affected Versions Roxy Fileman version 1.4.5

Description The issue allows a remote attacker to perform path traversal, enabling them to write uploaded files to arbitrary locations using the RENAMEFILE action. This can be exploited for code execution by uploading a specially crafted Windows shortcut file and writing it to the Startup folder, as the blacklist of file extensions is incomplete, permitting Windows shortcut files to be uploaded.

Recommendations For version 1.4.5, consider restricting access to the RENAMEFILE action until a patch is available, and ensure that Windows shortcut files are properly blocked from being uploaded to prevent code execution.