CVE-2018-20526

CVE-2018-20526 covers a vulnerability in Roxy Fileman 1.4.5 where upload.php allows unrestricted file uploads. The NVD entry documents this as a file-upload vulnerability (CVSS v2/v3 high-crit) without confirming exploit specifics. The nuclei template and related references describe it as enablin...

CVE-2022-40797

CVE-2022-40797 affects Roxy Fileman 1.4.6. The vulnerability is a remote code execution via uploading a .phar file, because conf.json’s FORBIDDEN_UPLOADS setting only blocks .php, .php4, and .php5. In some web-server configurations visiting a .phar file can execute the PHP interpreter, enabling a...

CVE-2018-20525

CVE-2018-20525 affects Roxy Fileman 1.4.5, enabling directory traversal via copydir.php, copyfile.php, and fileslist.php. Public write-up and exploit references (e.g., Exploit-DB, PacketStorm) describe or imply abuse for arbitrary directory access via directory traversal and related upload bypass...

CVE-2019-19731

CVE-2019-19731 affects Roxy Fileman 1.4.5 for .NET. The vulnerability is a path traversal flaw that allows a remote attacker to write uploaded files to arbitrary locations via the RENAMEFILE action. Documents describe that this can enable code execution by uploading a crafted Windows shortcut fil...

CVE-2019-7174

CVE-2019-7174 pertains to Roxy Fileman 1.4.5, where attackers can trigger the server to perform file-management operations via renamefile.php, createdir.php, fileslist.php, and movefile.php. The affected component is the Fileman web interface; the description notes these endpoints can be executed...

CVE-2018-12042

Roxy Fileman 1.4.5 and earlier is vulnerable to a directory traversal flaw in the php/download.php f parameter, allowing access to arbitrary files. The issue is due to improper handling of the f parameter in file download functionality, enabling potential exposure of sensitive server files. Impac...