{"id":"CVE-2020-10212","details":"upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. For example, an SSRF attempt may succeed if a .ico filename is added to the PATH_INFO. Also, an attacker could create a DNS hostname that resolves to the 0.0.0.0 IP address for DNS pinning. NOTE: this issue exists because of an incomplete fix for CVE-2018-14728.","modified":"2026-04-10T04:18:30.242005Z","published":"2020-03-07T00:15:13.117Z","references":[{"type":"REPORT","url":"https://github.com/trippo/ResponsiveFilemanager/issues/598"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/trippo/responsivefilemanager","events":[{"introduced":"0"},{"last_affected":"a50cac88ebcf8b469a189b1097758592c3807150"},{"introduced":"0"},{"last_affected":"d5572d2c645c9eebf0a9fcb9f3e6d23722d454f4"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.13.4"},{"introduced":"0"},{"last_affected":"9.14.0"}]}}],"versions":["9.9","9.9.1","9.9.2","9.9.4","v.9.10.1","v9.10.0","v9.10.1","v9.10.2","v9.11.0","v9.11.3","v9.12.0","v9.12.1","v9.12.2","v9.13.0","v9.13.1","v9.13.3","v9.13.4","v9.14.0","v9.9.3","v9.9.4","v9.9.5","v9.9.6","v9.9.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10212.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}