CVE-2020-10567

Name of the Vulnerable Software and Affected Versions: Responsive Filemanager versions through 9.14.0

Description: An issue was discovered in the ajax calls.php file, specifically in the save img action, where the name parameter lacks validation of the sent extension. This allows for the execution of PHP code if a legitimate JPEG image contains this code in its EXIF data and the .php extension is used in the name parameter. A remote attacker can exploit this issue by using a specially crafted JPEG image with malicious EXIF data containing PHP code.

Recommendations: For versions through 9.14.0, consider disabling the save img action in the config file as a temporary workaround until a patch is available.