Vulnerabilites related to tiny_file_manager_project - tiny_file_manager
CVE-2022-40916 (GCVE-0-2022-40916)
Vulnerability from cvelistv5
Published
2025-02-06 00:00
Modified
2025-02-07 18:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40916",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T18:51:12.408639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T18:51:41.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below is vulnerable to session fixation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T16:39:32.880Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"url": "https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40916",
"datePublished": "2025-02-06T00:00:00.000Z",
"dateReserved": "2022-09-19T00:00:00.000Z",
"dateUpdated": "2025-02-07T18:51:41.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45475 (GCVE-0-2022-45475)
Vulnerability from cvelistv5
Published
2022-11-25 00:00
Modified
2025-04-29 14:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Remote command execution
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Tiny File Manager |
Version: 2.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:03.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45475",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:06:38.787949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:07:53.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiny File Manager",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application\u0027s internal files. This is possible because the application is vulnerable to broken access control.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application\u0027s internal files. This is possible because the application is vulnerable to broken access control.\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote command execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T11:45:59.359Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-45475",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-11-18T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:07:53.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23044 (GCVE-0-2022-23044)
Vulnerability from cvelistv5
Published
2022-11-25 00:00
Modified
2025-04-25 17:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Remote command execution
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Tiny File Manager |
Version: 2.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-23044",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T17:33:35.101186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T17:33:39.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiny File Manager",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote command execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T11:42:19.302Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-23044",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2025-04-25T17:33:39.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1000 (GCVE-0-2022-1000)
Vulnerability from cvelistv5
Published
2022-03-17 10:30
Modified
2024-08-02 23:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424 | x_refsource_CONFIRM | |
| https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| prasathmani | prasathmani/tinyfilemanager |
Version: unspecified < 2.4.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prasathmani/tinyfilemanager",
"vendor": "prasathmani",
"versions": [
{
"lessThan": "2.4.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-17T10:30:14",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
}
],
"source": {
"advisory": "5995a93f-0c4b-4f7d-aa59-a64424219424",
"discovery": "EXTERNAL"
},
"title": "Path Traversal in prasathmani/tinyfilemanager",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1000",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in prasathmani/tinyfilemanager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prasathmani/tinyfilemanager",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.7"
}
]
}
}
]
},
"vendor_name": "prasathmani"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
}
]
},
"source": {
"advisory": "5995a93f-0c4b-4f7d-aa59-a64424219424",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1000",
"datePublished": "2022-03-17T10:30:14",
"dateReserved": "2022-03-17T00:00:00",
"dateUpdated": "2024-08-02T23:47:42.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16790 (GCVE-0-2019-16790)
Vulnerability from cvelistv5
Published
2019-12-30 19:15
Modified
2024-08-05 01:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr | x_refsource_CONFIRM | |
| https://github.com/prasathmani/tinyfilemanager/commit/9a499734c5084e3c2eb505f100d50baac1793bd8 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tiny File Manager | Tiny File Manager |
Version: before 2.3.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/9a499734c5084e3c2eb505f100d50baac1793bd8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Tiny File Manager",
"vendor": "Tiny File Manager",
"versions": [
{
"status": "affected",
"version": "before 2.3.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-30T19:15:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/9a499734c5084e3c2eb505f100d50baac1793bd8"
}
],
"source": {
"advisory": "GHSA-w72h-v37j-rrwr",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution in Tiny File Manager",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16790",
"STATE": "PUBLIC",
"TITLE": "Remote Code Execution in Tiny File Manager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Tiny File Manager",
"version": {
"version_data": [
{
"version_value": "before 2.3.9"
}
]
}
}
]
},
"vendor_name": "Tiny File Manager"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr",
"refsource": "CONFIRM",
"url": "https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/commit/9a499734c5084e3c2eb505f100d50baac1793bd8",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/9a499734c5084e3c2eb505f100d50baac1793bd8"
}
]
},
"source": {
"advisory": "GHSA-w72h-v37j-rrwr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16790",
"datePublished": "2019-12-30T19:15:14",
"dateReserved": "2019-09-24T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40490 (GCVE-0-2022-40490)
Vulnerability from cvelistv5
Published
2025-02-06 00:00
Modified
2025-08-20 02:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40490",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T21:05:55.786260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T21:07:34.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T02:25:20.632Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40490",
"datePublished": "2025-02-06T00:00:00.000Z",
"dateReserved": "2022-09-11T00:00:00.000Z",
"dateUpdated": "2025-08-20T02:25:20.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45476 (GCVE-0-2022-45476)
Vulnerability from cvelistv5
Published
2022-11-25 00:00
Modified
2025-04-29 14:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Remote command execution
Summary
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Tiny File Manager |
Version: 2.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:03.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:04:39.679839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:05:00.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiny File Manager",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote command execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T12:08:51.944Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-45476",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-11-18T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:05:00.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12102 (GCVE-0-2020-12102)
Vulnerability from cvelistv5
Published
2020-04-28 21:01
Modified
2024-08-04 11:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Tiny File Manager 2.4.1, there is a Path Traversal vulnerability in the ajax recursive directory listing functionality. This allows authenticated users to enumerate directories and files on the filesystem (outside of the application scope).
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/issues/357"
},
{
"tags": [
"x_transferred"
],
"url": "https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Tiny File Manager 2.4.1, there is a Path Traversal vulnerability in the ajax recursive directory listing functionality. This allows authenticated users to enumerate directories and files on the filesystem (outside of the application scope)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T20:07:57.842023",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06"
},
{
"url": "https://github.com/prasathmani/tinyfilemanager/issues/357"
},
{
"url": "https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12102",
"datePublished": "2020-04-28T21:01:16",
"dateReserved": "2020-04-23T00:00:00",
"dateUpdated": "2024-08-04T11:48:58.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45010 (GCVE-0-2021-45010)
Vulnerability from cvelistv5
Published
2022-03-15 11:13
Modified
2024-08-04 04:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-20T02:27:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45010",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prasathmani/tinyfilemanager/pull/636",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"name": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/",
"refsource": "MISC",
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"name": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh",
"refsource": "MISC",
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"name": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss",
"refsource": "MISC",
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"name": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh",
"refsource": "MISC",
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"name": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45010",
"datePublished": "2022-03-15T11:13:26",
"dateReserved": "2021-12-13T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12103 (GCVE-0-2020-12103)
Vulnerability from cvelistv5
Published
2020-04-28 21:07
Modified
2024-08-04 11:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Tiny File Manager 2.4.1 there is a vulnerability in the ajax file backup copy functionality which allows authenticated users to create backup copies of files (with .bak extension) outside the scope in the same directory in which they are stored.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.008Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/issues/357"
},
{
"tags": [
"x_transferred"
],
"url": "https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Tiny File Manager 2.4.1 there is a vulnerability in the ajax file backup copy functionality which allows authenticated users to create backup copies of files (with .bak extension) outside the scope in the same directory in which they are stored."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T20:09:15.888492",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06"
},
{
"url": "https://github.com/prasathmani/tinyfilemanager/issues/357"
},
{
"url": "https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12103",
"datePublished": "2020-04-28T21:07:28",
"dateReserved": "2020-04-23T00:00:00",
"dateUpdated": "2024-08-04T11:48:58.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-11-25 18:15
Modified
2025-04-29 14:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| help@fluidattacks.com | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| help@fluidattacks.com | https://github.com/prasathmani/tinyfilemanager/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prasathmani/tinyfilemanager/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | 2.4.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A57BAA59-F664-45DE-92C0-0EDBA5198FE5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application\u0027s internal files. This is possible because the application is vulnerable to broken access control.\n\n\n"
},
{
"lang": "es",
"value": "La versi\u00f3n 2.4.8 de Tiny File Manager permite que un atacante remoto no autenticado acceda a los archivos internos de la aplicaci\u00f3n. Esto es posible porque la aplicaci\u00f3n es vulnerable a un control de acceso roto."
}
],
"id": "CVE-2022-45475",
"lastModified": "2025-04-29T14:15:27.767",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-25T18:15:11.563",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-25 18:15
Modified
2025-04-29 14:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| help@fluidattacks.com | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| help@fluidattacks.com | https://github.com/prasathmani/tinyfilemanager/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prasathmani/tinyfilemanager/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | 2.4.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A57BAA59-F664-45DE-92C0-0EDBA5198FE5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\n\n\n"
},
{
"lang": "es",
"value": "La versi\u00f3n 2.4.8 de Tiny File Manager ejecuta el c\u00f3digo de los archivos cargados por los usuarios de la aplicaci\u00f3n, en lugar de simplemente devolverlos para su descarga. Esto es posible porque la aplicaci\u00f3n es vulnerable a la carga de archivos no segura."
}
],
"id": "CVE-2022-45476",
"lastModified": "2025-04-29T14:15:27.947",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-25T18:15:11.630",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-04-28 22:15
Modified
2024-11-21 04:59
Severity ?
Summary
In Tiny File Manager 2.4.1 there is a vulnerability in the ajax file backup copy functionality which allows authenticated users to create backup copies of files (with .bak extension) outside the scope in the same directory in which they are stored.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | 2.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9D862BC9-ED4E-4324-9D7A-85722134DBF3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Tiny File Manager 2.4.1 there is a vulnerability in the ajax file backup copy functionality which allows authenticated users to create backup copies of files (with .bak extension) outside the scope in the same directory in which they are stored."
},
{
"lang": "es",
"value": "En Tiny File Manager 2.4.1 existe una vulnerabilidad en la funcionalidad de copia de respaldo de archivos ajax que permite a los usuarios autenticados crear copias de respaldo de archivos (con extensi\u00f3n .bak) fuera del alcance en el mismo directorio en el que est\u00e1n almacenados."
}
],
"id": "CVE-2020-12103",
"lastModified": "2024-11-21T04:59:15.060",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-28T22:15:12.780",
"references": [
{
"source": "cve@mitre.org",
"url": "https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/prasathmani/tinyfilemanager/issues/357"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/prasathmani/tinyfilemanager/issues/357"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-06 17:15
Modified
2025-08-20 03:15
Severity ?
Summary
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/prasathmani/tinyfilemanager | Product | |
| cve@mitre.org | https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md | Exploit, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6090EC5-8E40-4C48-9FE6-3C4838C9A0CE",
"versionEndIncluding": "2.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que Tiny File Manager v2.4.7 y versiones anteriores contienen una vulnerabilidad de Cross Site Scripting (XSS). Esta vulnerabilidad permite a los atacantes ejecutar c\u00f3digo arbitrario a trav\u00e9s de un payload manipulado inyectado en el nombre de un archivo cargado o ya existente."
}
],
"id": "CVE-2022-40490",
"lastModified": "2025-08-20T03:15:34.917",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-02-06T17:15:13.640",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-30 20:15
Modified
2024-11-21 04:31
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E302B7F0-2BEA-4A4B-85A0-AF1FEDDD2C91",
"versionEndExcluding": "2.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted."
},
{
"lang": "es",
"value": "En Tiny File Manager versiones anteriores a la versi\u00f3n 2.3.9, Hay una ejecuci\u00f3n de c\u00f3digo remota por medio Upload desde URL y Edit/Rename files. Solo los usuarios autenticados est\u00e1n afectados."
}
],
"id": "CVE-2019-16790",
"lastModified": "2024-11-21T04:31:11.683",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-30T20:15:12.560",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/9a499734c5084e3c2eb505f100d50baac1793bd8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/9a499734c5084e3c2eb505f100d50baac1793bd8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-17 11:15
Modified
2024-11-21 06:39
Severity ?
Summary
Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBAC1FFD-6679-4493-9374-7B6A67746000",
"versionEndExcluding": "2.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7."
},
{
"lang": "es",
"value": "Un Salto de Ruta en el repositorio de GitHub prasathmani/tinyfilemanager versiones anteriores a 2.4.7"
}
],
"id": "CVE-2022-1000",
"lastModified": "2024-11-21T06:39:49.910",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-17T11:15:07.797",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-15 12:15
Modified
2024-11-21 06:31
Severity ?
Summary
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6090EC5-8E40-4C48-9FE6-3C4838C9A0CE",
"versionEndIncluding": "2.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cruce de rutas en la funcionalidad de carga de archivos en tinyfilemanager.php en Tiny File Manager antes de la versi\u00f3n 2.4.7 permite a los atacantes remotos (con cuentas de usuario v\u00e1lidas) cargar archivos PHP maliciosos en la ra\u00edz web, lo que lleva a la ejecuci\u00f3n de c\u00f3digo"
}
],
"id": "CVE-2021-45010",
"lastModified": "2024-11-21T06:31:48.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-15T12:15:08.380",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-06 17:15
Modified
2025-07-03 01:19
Severity ?
Summary
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/prasathmani/tinyfilemanager | Product | |
| cve@mitre.org | https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6090EC5-8E40-4C48-9FE6-3C4838C9A0CE",
"versionEndIncluding": "2.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below is vulnerable to session fixation."
},
{
"lang": "es",
"value": "Tiny File Manager v2.4.7 y abajo es vulnerable a la fijaci\u00f3n de la sesi\u00f3n."
}
],
"id": "CVE-2022-40916",
"lastModified": "2025-07-03T01:19:04.573",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-02-06T17:15:13.757",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-25 17:15
Modified
2025-04-25 18:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| help@fluidattacks.com | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| help@fluidattacks.com | https://github.com/prasathmani/tinyfilemanager/ | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prasathmani/tinyfilemanager/ | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | 2.4.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A57BAA59-F664-45DE-92C0-0EDBA5198FE5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.\n\n\n"
},
{
"lang": "es",
"value": "La versi\u00f3n 2.4.8 de Tiny File Manager permite a un atacante remoto no autenticado persuadir a los usuarios para que realicen acciones no deseadas dentro de la aplicaci\u00f3n. Esto es posible porque la aplicaci\u00f3n es vulnerable a CSRF."
}
],
"id": "CVE-2022-23044",
"lastModified": "2025-04-25T18:15:22.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-25T17:15:10.637",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-04-28 21:15
Modified
2024-11-21 04:59
Severity ?
Summary
In Tiny File Manager 2.4.1, there is a Path Traversal vulnerability in the ajax recursive directory listing functionality. This allows authenticated users to enumerate directories and files on the filesystem (outside of the application scope).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tiny_file_manager_project | tiny_file_manager | 2.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9D862BC9-ED4E-4324-9D7A-85722134DBF3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Tiny File Manager 2.4.1, there is a Path Traversal vulnerability in the ajax recursive directory listing functionality. This allows authenticated users to enumerate directories and files on the filesystem (outside of the application scope)."
},
{
"lang": "es",
"value": "En Tiny File Manager versi\u00f3n 2.4.1, hay una vulnerabilidad de Salto de Ruta en la funcionalidad de listado de directorio recursivo de ajax. Esto permite a los usuarios autenticados enumerar directorios y archivos en el sistema de archivos (fuera del alcance de la aplicaci\u00f3n)."
}
],
"id": "CVE-2020-12102",
"lastModified": "2024-11-21T04:59:14.920",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-28T21:15:11.773",
"references": [
{
"source": "cve@mitre.org",
"url": "https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/prasathmani/tinyfilemanager/issues/357"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://cyberaz0r.info/2020/04/tiny-file-manager-multiple-vulnerabilities/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/a0c595a8e11e55a43eeaa68e1a3ce76365f29d06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/prasathmani/tinyfilemanager/issues/357"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}