Stored Cross-Site Scripting in Responsive Filemanager by Trippo
CVE-2020-11106

6.1MEDIUM

Key Information:

Vendor: Tecrail
Status: Responsive Filemanager
Vendor: CVE Published:; 30 March 2020

What is CVE-2020-11106?

A vulnerability exists in Responsive Filemanager due to inadequate sanitization of the session variable $_SESSION['RF']['view_type'] on the dialog.php page. If this variable is set, it can be exploited via ajax_calls.php by using the 'view' action along with a malicious payload in the type parameter. This allows an attacker to perform stored XSS, compromising the integrity and security of the application whenever the infected session is accessed.

References

https://github.com/trippo/ResponsiveFilemanager/issues/603

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2020
Vulnerability Reserved
Mar 30, 2020

CVE-2020-11106 Data

JSON

Tecrail

What is CVE-2020-11106?

References

CVSS V3.1

Timeline