Hackoclipse

**Name of the Vulnerable Software and Affected Versions** Trippo ResponsiveFilemanager versions 9.14.0 and earlier **Description** A Cross Site Scripting issue allows a remote attacker to execute arbitrary code via the `sort by` parameter in the "dialog.php" file. This enables the attacker to inject malicious scripts into the application. **Recommendations** For Trippo ResponsiveFilemanager versions 9.14.0 and earlier, consider restricting access to the `dialog.php` file or disabling the `sort by` parameter to minimize the risk of exploitation until a fix is available.

Name of the Vulnerable Software and Affected Versions: Responsive Filemanager versions through 9.14.0 Description: The issue is related to the lack of sanitization of the `$ SESSION['RF']["view type"]` session variable in the dialog.php page. This allows for stored XSS attacks if an attacker opens ajax calls.php, uses the "view" action, and places a payload in the `type` parameter, then returns to the dialog.php page. The vulnerability occurs because ajax calls.php can also set the `$ SESSION['RF']["view type"]` variable without sanitizing it. Recommendations: For Responsive Filemanager versions through 9.14.0, consider disabling the `ajax calls.php` page or restricting access to it until a patch is available. As a temporary workaround, avoid using the "view" action in `ajax calls.php` and restrict the use of the `type` parameter to prevent exploitation.