Note: Because Joomla core 3.9.21 fixed improperly, therefore this bug has't patched improperly. I can bypass this patch eseaily. I want to keep this secret until this bug will have been fixed completely.
https://developer.joomla.org/security-centre/827-20200803-core-directory-traversal-in-com-media.html
#python cve202024597.py -url http://test.local -u admin -p 1234 -rce 1
Full PoC in here: