{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2020-10567","assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","dateUpdated":"2024-08-04T11:06:09.539Z","dateReserved":"2020-03-14T00:00:00.000Z","datePublished":"2020-03-14T00:00:00.000Z"},"containers":{"cna":{"providerMetadata":{"orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre","dateUpdated":"2023-03-07T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"An issue was discovered in Responsive Filemanager through 9.14.0. In the ajax_calls.php file in the save_img action in the name parameter, there is no validation of what kind of extension is sent. This makes it possible to execute PHP code if a legitimate JPEG image contains this code in the EXIF data, and the .php extension is used in the name parameter. (A potential fast patch is to disable the save_img action in the config file.)"}],"affected":[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}],"references":[{"url":"https://github.com/trippo/ResponsiveFilemanager/issues/600"},{"url":"http://packetstormsecurity.com/files/171280/ZwiiCMS-12.2.04-Remote-Code-Execution.html"}],"problemTypes":[{"descriptions":[{"type":"text","lang":"en","description":"n/a"}]}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T11:06:09.539Z"},"title":"CVE Program Container","references":[{"url":"https://github.com/trippo/ResponsiveFilemanager/issues/600","tags":["x_transferred"]},{"url":"http://packetstormsecurity.com/files/171280/ZwiiCMS-12.2.04-Remote-Code-Execution.html","tags":["x_transferred"]}]}]}}