CVE-2022-46604
published 2023-02-02CVE-2022-46604: An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file…
PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
8.63%
94.4th percentile
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | activemq | >= 0 < 5.16.1-1ubuntu0.1 | 5.16.1-1ubuntu0.1 |
| tecrail | responsive_filemanager | <= 9.9.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /filemanager/execute.php with the query parameter action=create_file, which is the exploit's file creation endpoint used to plant a PHP webshell disguised as a .txt file. ↗
- →Alert on POST body parameters containing path=shell.php combined with name=shell.txt — this is the extension bypass technique: the file is named .txt but written to a .php path. ↗
- →Monitor for path_thumb values containing directory traversal sequences (e.g., ../thumbs/) in POST requests to the filemanager endpoint. ↗
- →Detect GET requests to /source/shell.php with a ?cmd= query parameter, indicating webshell interaction post-exploitation. ↗
- →Flag creation of any .php file under the /source/ or /thumbs/ directories of the Responsive FileManager installation, as these are not expected upload destinations for PHP files. ↗
- →The server response string 'File successfully saved.' on a create_file action targeting a .php path is a strong indicator of successful webshell implantation. ↗
- ·The exploit targets Responsive FileManager version 9.9.5 and below. Installations running versions above 9.9.5 are not affected by this specific bypass. ↗
- ·The webshell filename (shell.php) and path (/source/shell.php) used in the public PoC are defaults and may be trivially changed by an attacker; detection should not rely solely on this specific filename. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
activemq vulnerabilities
osv·2025-02-14·CVSS 8.8
CVE-2022-41678 activemq vulnerabilities
activemq vulnerabilities
It was discovered that Apache ActiveMQ incorrectly handled
authentication. A remote attacker could possibly use this issue to run
arbitrary code. (CVE-2022-41678)
It was discovered that Apache ActiveMQ incorrectly handled
deserialization. A remote attacker could possibly use this issue to run
arbitrary shell commands. (CVE-2023-46604)
GHSA
GHSA-q3q6-m34m-pq3r: An issue in Tecrail Responsive FileManager v9
ghsa_unreviewed·2023-02-02
CVE-2022-46604 [HIGH] CWE-434 GHSA-q3q6-m34m-pq3r: An issue in Tecrail Responsive FileManager v9
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.
VulnCheck
tecrail responsive_filemanager Unrestricted Upload of File with Dangerous Type
vulncheck·2022·CVSS 8.8
CVE-2022-46604 [HIGH] tecrail responsive_filemanager Unrestricted Upload of File with Dangerous Type
tecrail responsive_filemanager Unrestricted Upload of File with Dangerous Type
An issue in Tecrail Responsive FileManager v9.9.5 and below allows attackers to bypass the file extension check mechanism and upload a crafted PHP file, leading to arbitrary code execution.
Affected: tecrail responsive_filemanager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2022-46604
Exploit PoC: https://vulncheck.com/xdb/a2c7d10320f5; https://vulncheck.com/xdb/0196f7d0d183
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171720/Responsive-FileManager-9.9.5-Remote-Shell-Upload.htmlhttps://github.com/trippo/ResponsiveFilemanager/blob/v9.9.5/filemanager/execute.phphttps://github.com/trippo/ResponsiveFilemanager/blob/v9.9.6/changelog.txthttps://medium.com/%40_sadshade/file-extention-bypass-in-responsive-filemanager-9-5-5-leading-to-rce-authenticated-3290eddc54e7http://packetstormsecurity.com/files/171720/Responsive-FileManager-9.9.5-Remote-Shell-Upload.htmlhttps://github.com/trippo/ResponsiveFilemanager/blob/v9.9.5/filemanager/execute.phphttps://github.com/trippo/ResponsiveFilemanager/blob/v9.9.6/changelog.txthttps://medium.com/%40_sadshade/file-extention-bypass-in-responsive-filemanager-9-5-5-leading-to-rce-authenticated-3290eddc54e7
2023-02-02
Published
Exploited in the wild