Search criteria
44 vulnerabilities found for tiny_file_manager by prasathmani
CVE-2025-15138 (GCVE-0-2025-15138)
Vulnerability from nvd – Published: 2025-12-28 13:32 – Updated: 2025-12-29 16:40
VLAI?
Title
prasathmani TinyFileManager tinyfilemanager.php path traversal
Summary
A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
CWE
- CWE-22 - Path Traversal
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| prasathmani | TinyFileManager |
Affected:
2.0
Affected: 2.1 Affected: 2.2 Affected: 2.3 Affected: 2.4 Affected: 2.5 Affected: 2.6 |
Credits
arrester (VulDB User)
arrester (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15138",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:39:59.948817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:40:10.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TinyFileManager",
"vendor": "prasathmani",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1"
},
{
"status": "affected",
"version": "2.2"
},
{
"status": "affected",
"version": "2.3"
},
{
"status": "affected",
"version": "2.4"
},
{
"status": "affected",
"version": "2.5"
},
{
"status": "affected",
"version": "2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "arrester (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "arrester (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T07:29:01.555Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-338516 | prasathmani TinyFileManager tinyfilemanager.php path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.338516"
},
{
"name": "VDB-338516 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.338516"
},
{
"name": "Submit #714177 | tinyfilemanager 2.6 File Upload(RCE)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.714177"
},
{
"tags": [
"exploit"
],
"url": "https://mesquite-dream-86b.notion.site/tinyfilemanager-File-Upload-RCE-Report-2c7512562197800d86b3e68534a56a91"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-27T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-29T08:33:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "prasathmani TinyFileManager tinyfilemanager.php path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15138",
"datePublished": "2025-12-28T13:32:08.843Z",
"dateReserved": "2025-12-27T10:07:46.338Z",
"dateUpdated": "2025-12-29T16:40:10.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-44998 (GCVE-0-2025-44998)
Vulnerability from nvd – Published: 2025-05-23 00:00 – Updated: 2025-05-23 18:56
VLAI?
Summary
A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-44998",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T18:55:38.997882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T18:56:35.929Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T18:15:34.107Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"url": "https://github.com/l8BL/CVE-2025-44998"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-44998",
"datePublished": "2025-05-23T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-23T18:56:35.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40916 (GCVE-0-2022-40916)
Vulnerability from nvd – Published: 2025-02-06 00:00 – Updated: 2025-02-07 18:51
VLAI?
Summary
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40916",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T18:51:12.408639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T18:51:41.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below is vulnerable to session fixation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T16:39:32.880Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"url": "https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40916",
"datePublished": "2025-02-06T00:00:00.000Z",
"dateReserved": "2022-09-19T00:00:00.000Z",
"dateUpdated": "2025-02-07T18:51:41.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40490 (GCVE-0-2022-40490)
Vulnerability from nvd – Published: 2025-02-06 00:00 – Updated: 2025-08-20 02:25
VLAI?
Summary
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40490",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T21:05:55.786260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T21:07:34.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T02:25:20.632Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40490",
"datePublished": "2025-02-06T00:00:00.000Z",
"dateReserved": "2022-09-11T00:00:00.000Z",
"dateUpdated": "2025-08-20T02:25:20.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45475 (GCVE-0-2022-45475)
Vulnerability from nvd – Published: 2022-11-25 00:00 – Updated: 2025-04-29 14:07
VLAI?
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control.
Severity ?
6.5 (Medium)
CWE
- Remote command execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Tiny File Manager |
Affected:
2.4.8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:03.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45475",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:06:38.787949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:07:53.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiny File Manager",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application\u0027s internal files. This is possible because the application is vulnerable to broken access control.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application\u0027s internal files. This is possible because the application is vulnerable to broken access control.\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote command execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T11:45:59.359Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-45475",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-11-18T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:07:53.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45476 (GCVE-0-2022-45476)
Vulnerability from nvd – Published: 2022-11-25 00:00 – Updated: 2025-04-29 14:05
VLAI?
Summary
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.
Severity ?
9.8 (Critical)
CWE
- Remote command execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Tiny File Manager |
Affected:
2.4.8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:03.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:04:39.679839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:05:00.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiny File Manager",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote command execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T12:08:51.944Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-45476",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-11-18T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:05:00.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23044 (GCVE-0-2022-23044)
Vulnerability from nvd – Published: 2022-11-25 00:00 – Updated: 2025-04-25 17:33
VLAI?
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.
Severity ?
8.8 (High)
CWE
- Remote command execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Tiny File Manager |
Affected:
2.4.8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-23044",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T17:33:35.101186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T17:33:39.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiny File Manager",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote command execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T11:42:19.302Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-23044",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2025-04-25T17:33:39.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1000 (GCVE-0-2022-1000)
Vulnerability from nvd – Published: 2022-03-17 10:30 – Updated: 2024-08-02 23:47
VLAI?
Title
Path Traversal in prasathmani/tinyfilemanager
Summary
Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| prasathmani | prasathmani/tinyfilemanager |
Affected:
unspecified , < 2.4.7
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prasathmani/tinyfilemanager",
"vendor": "prasathmani",
"versions": [
{
"lessThan": "2.4.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-17T10:30:14",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
}
],
"source": {
"advisory": "5995a93f-0c4b-4f7d-aa59-a64424219424",
"discovery": "EXTERNAL"
},
"title": "Path Traversal in prasathmani/tinyfilemanager",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1000",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in prasathmani/tinyfilemanager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prasathmani/tinyfilemanager",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.7"
}
]
}
}
]
},
"vendor_name": "prasathmani"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
}
]
},
"source": {
"advisory": "5995a93f-0c4b-4f7d-aa59-a64424219424",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1000",
"datePublished": "2022-03-17T10:30:14",
"dateReserved": "2022-03-17T00:00:00",
"dateUpdated": "2024-08-02T23:47:42.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45010 (GCVE-0-2021-45010)
Vulnerability from nvd – Published: 2022-03-15 11:13 – Updated: 2024-08-04 04:32
VLAI?
Summary
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-20T02:27:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45010",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prasathmani/tinyfilemanager/pull/636",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"name": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/",
"refsource": "MISC",
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"name": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh",
"refsource": "MISC",
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"name": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss",
"refsource": "MISC",
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"name": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh",
"refsource": "MISC",
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"name": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45010",
"datePublished": "2022-03-15T11:13:26",
"dateReserved": "2021-12-13T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40965 (GCVE-0-2021-40965)
Vulnerability from nvd – Published: 2021-09-15 17:11 – Updated: 2024-08-04 02:59
VLAI?
Summary
A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:30.870Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-15T17:11:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-40965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prasathmani/tinyfilemanager",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"name": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528",
"refsource": "MISC",
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-40965",
"datePublished": "2021-09-15T17:11:27",
"dateReserved": "2021-09-13T00:00:00",
"dateUpdated": "2024-08-04T02:59:30.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40966 (GCVE-0-2021-40966)
Vulnerability from nvd – Published: 2021-09-15 17:10 – Updated: 2024-08-04 02:59
VLAI?
Summary
A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:30.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-15T17:10:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-40966",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prasathmani/tinyfilemanager",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"name": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528",
"refsource": "MISC",
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-40966",
"datePublished": "2021-09-15T17:10:32",
"dateReserved": "2021-09-13T00:00:00",
"dateUpdated": "2024-08-04T02:59:30.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40964 (GCVE-0-2021-40964)
Vulnerability from nvd – Published: 2021-09-15 17:12 – Updated: 2024-08-04 02:59
VLAI?
Summary
A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:30.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the \"fullpath\" parameter containing path traversal strings (../ and ..\\) in order to escape the server\u0027s intended working directory and write malicious files onto any directory on the computer."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-16T18:06:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-40964",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the \"fullpath\" parameter containing path traversal strings (../ and ..\\) in order to escape the server\u0027s intended working directory and write malicious files onto any directory on the computer."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prasathmani/tinyfilemanager",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"name": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528",
"refsource": "MISC",
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
},
{
"name": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-40964",
"datePublished": "2021-09-15T17:12:28",
"dateReserved": "2021-09-13T00:00:00",
"dateUpdated": "2024-08-04T02:59:30.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-15138 (GCVE-0-2025-15138)
Vulnerability from cvelistv5 – Published: 2025-12-28 13:32 – Updated: 2025-12-29 16:40
VLAI?
Title
prasathmani TinyFileManager tinyfilemanager.php path traversal
Summary
A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
CWE
- CWE-22 - Path Traversal
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| prasathmani | TinyFileManager |
Affected:
2.0
Affected: 2.1 Affected: 2.2 Affected: 2.3 Affected: 2.4 Affected: 2.5 Affected: 2.6 |
Credits
arrester (VulDB User)
arrester (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15138",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:39:59.948817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:40:10.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "TinyFileManager",
"vendor": "prasathmani",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1"
},
{
"status": "affected",
"version": "2.2"
},
{
"status": "affected",
"version": "2.3"
},
{
"status": "affected",
"version": "2.4"
},
{
"status": "affected",
"version": "2.5"
},
{
"status": "affected",
"version": "2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "arrester (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "arrester (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T07:29:01.555Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-338516 | prasathmani TinyFileManager tinyfilemanager.php path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.338516"
},
{
"name": "VDB-338516 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.338516"
},
{
"name": "Submit #714177 | tinyfilemanager 2.6 File Upload(RCE)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.714177"
},
{
"tags": [
"exploit"
],
"url": "https://mesquite-dream-86b.notion.site/tinyfilemanager-File-Upload-RCE-Report-2c7512562197800d86b3e68534a56a91"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-27T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-29T08:33:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "prasathmani TinyFileManager tinyfilemanager.php path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15138",
"datePublished": "2025-12-28T13:32:08.843Z",
"dateReserved": "2025-12-27T10:07:46.338Z",
"dateUpdated": "2025-12-29T16:40:10.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-44998 (GCVE-0-2025-44998)
Vulnerability from cvelistv5 – Published: 2025-05-23 00:00 – Updated: 2025-05-23 18:56
VLAI?
Summary
A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-44998",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T18:55:38.997882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T18:56:35.929Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T18:15:34.107Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"url": "https://github.com/l8BL/CVE-2025-44998"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-44998",
"datePublished": "2025-05-23T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-23T18:56:35.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40916 (GCVE-0-2022-40916)
Vulnerability from cvelistv5 – Published: 2025-02-06 00:00 – Updated: 2025-02-07 18:51
VLAI?
Summary
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40916",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T18:51:12.408639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T18:51:41.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below is vulnerable to session fixation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T16:39:32.880Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"url": "https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40916",
"datePublished": "2025-02-06T00:00:00.000Z",
"dateReserved": "2022-09-19T00:00:00.000Z",
"dateUpdated": "2025-02-07T18:51:41.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40490 (GCVE-0-2022-40490)
Vulnerability from cvelistv5 – Published: 2025-02-06 00:00 – Updated: 2025-08-20 02:25
VLAI?
Summary
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-40490",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T21:05:55.786260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T21:07:34.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T02:25:20.632Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-40490",
"datePublished": "2025-02-06T00:00:00.000Z",
"dateReserved": "2022-09-11T00:00:00.000Z",
"dateUpdated": "2025-08-20T02:25:20.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45475 (GCVE-0-2022-45475)
Vulnerability from cvelistv5 – Published: 2022-11-25 00:00 – Updated: 2025-04-29 14:07
VLAI?
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control.
Severity ?
6.5 (Medium)
CWE
- Remote command execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Tiny File Manager |
Affected:
2.4.8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:03.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45475",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:06:38.787949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:07:53.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiny File Manager",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application\u0027s internal files. This is possible because the application is vulnerable to broken access control.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application\u0027s internal files. This is possible because the application is vulnerable to broken access control.\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote command execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T11:45:59.359Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-45475",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-11-18T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:07:53.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23044 (GCVE-0-2022-23044)
Vulnerability from cvelistv5 – Published: 2022-11-25 00:00 – Updated: 2025-04-25 17:33
VLAI?
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.
Severity ?
8.8 (High)
CWE
- Remote command execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Tiny File Manager |
Affected:
2.4.8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-23044",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T17:33:35.101186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T17:33:39.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiny File Manager",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote command execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T11:42:19.302Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-23044",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2025-04-25T17:33:39.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45476 (GCVE-0-2022-45476)
Vulnerability from cvelistv5 – Published: 2022-11-25 00:00 – Updated: 2025-04-29 14:05
VLAI?
Summary
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.
Severity ?
9.8 (Critical)
CWE
- Remote command execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Tiny File Manager |
Affected:
2.4.8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:17:03.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:04:39.679839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:05:00.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiny File Manager",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\n\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote command execution",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T12:08:51.944Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"url": "https://fluidattacks.com/advisories/mosey/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-45476",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-11-18T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:05:00.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1000 (GCVE-0-2022-1000)
Vulnerability from cvelistv5 – Published: 2022-03-17 10:30 – Updated: 2024-08-02 23:47
VLAI?
Title
Path Traversal in prasathmani/tinyfilemanager
Summary
Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| prasathmani | prasathmani/tinyfilemanager |
Affected:
unspecified , < 2.4.7
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prasathmani/tinyfilemanager",
"vendor": "prasathmani",
"versions": [
{
"lessThan": "2.4.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-17T10:30:14",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
}
],
"source": {
"advisory": "5995a93f-0c4b-4f7d-aa59-a64424219424",
"discovery": "EXTERNAL"
},
"title": "Path Traversal in prasathmani/tinyfilemanager",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1000",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in prasathmani/tinyfilemanager"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prasathmani/tinyfilemanager",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.7"
}
]
}
}
]
},
"vendor_name": "prasathmani"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
}
]
},
"source": {
"advisory": "5995a93f-0c4b-4f7d-aa59-a64424219424",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1000",
"datePublished": "2022-03-17T10:30:14",
"dateReserved": "2022-03-17T00:00:00",
"dateUpdated": "2024-08-02T23:47:42.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45010 (GCVE-0-2021-45010)
Vulnerability from cvelistv5 – Published: 2022-03-15 11:13 – Updated: 2024-08-04 04:32
VLAI?
Summary
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-20T02:27:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45010",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prasathmani/tinyfilemanager/pull/636",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"name": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/",
"refsource": "MISC",
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"name": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh",
"refsource": "MISC",
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"name": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss",
"refsource": "MISC",
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"name": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh",
"refsource": "MISC",
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"name": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1",
"refsource": "MISC",
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"name": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45010",
"datePublished": "2022-03-15T11:13:26",
"dateReserved": "2021-12-13T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-44998
Vulnerability from fkie_nvd - Published: 2025-05-23 19:15 - Updated: 2025-12-31 19:43
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/l8BL/CVE-2025-44998 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/prasathmani/tinyfilemanager | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prasathmani | tiny_file_manager | 2.4.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:2.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "EEEC7BFA-001A-4874-B827-E4026051EB05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado en el componente /tinyfilemanager.php de TinyFileManager v2.4.7 permite a los atacantes ejecutar JavaScript o HTML arbitrario mediante la inyecci\u00f3n de un payload manipulado en el par\u00e1metro js-theme-3."
}
],
"id": "CVE-2025-44998",
"lastModified": "2025-12-31T19:43:08.047",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-23T19:15:22.237",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/l8BL/CVE-2025-44998"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-40916
Vulnerability from fkie_nvd - Published: 2025-02-06 17:15 - Updated: 2025-12-31 19:40
Severity ?
Summary
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/prasathmani/tinyfilemanager | Product | |
| cve@mitre.org | https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prasathmani | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9FD4CBF-2FBB-42C1-AFED-39A6D206E1BB",
"versionEndIncluding": "2.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below is vulnerable to session fixation."
},
{
"lang": "es",
"value": "Tiny File Manager v2.4.7 y abajo es vulnerable a la fijaci\u00f3n de la sesi\u00f3n."
}
],
"id": "CVE-2022-40916",
"lastModified": "2025-12-31T19:40:50.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-02-06T17:15:13.757",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-40490
Vulnerability from fkie_nvd - Published: 2025-02-06 17:15 - Updated: 2025-12-31 19:40
Severity ?
Summary
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/prasathmani/tinyfilemanager | Product | |
| cve@mitre.org | https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md | Exploit, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prasathmani | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9FD4CBF-2FBB-42C1-AFED-39A6D206E1BB",
"versionEndIncluding": "2.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que Tiny File Manager v2.4.7 y versiones anteriores contienen una vulnerabilidad de Cross Site Scripting (XSS). Esta vulnerabilidad permite a los atacantes ejecutar c\u00f3digo arbitrario a trav\u00e9s de un payload manipulado inyectado en el nombre de un archivo cargado o ya existente."
}
],
"id": "CVE-2022-40490",
"lastModified": "2025-12-31T19:40:50.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-02-06T17:15:13.640",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/whitej3rry/CVE-2022-40490/blob/main/PoC.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-45476
Vulnerability from fkie_nvd - Published: 2022-11-25 18:15 - Updated: 2025-12-31 19:40
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.
References
| URL | Tags | ||
|---|---|---|---|
| help@fluidattacks.com | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| help@fluidattacks.com | https://github.com/prasathmani/tinyfilemanager/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prasathmani/tinyfilemanager/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prasathmani | tiny_file_manager | 2.4.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "502A6A72-602E-4F50-B2F8-BC4280F13CAD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\n\n\n"
},
{
"lang": "es",
"value": "La versi\u00f3n 2.4.8 de Tiny File Manager ejecuta el c\u00f3digo de los archivos cargados por los usuarios de la aplicaci\u00f3n, en lugar de simplemente devolverlos para su descarga. Esto es posible porque la aplicaci\u00f3n es vulnerable a la carga de archivos no segura."
}
],
"id": "CVE-2022-45476",
"lastModified": "2025-12-31T19:40:50.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-25T18:15:11.630",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-45475
Vulnerability from fkie_nvd - Published: 2022-11-25 18:15 - Updated: 2025-12-31 19:40
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control.
References
| URL | Tags | ||
|---|---|---|---|
| help@fluidattacks.com | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| help@fluidattacks.com | https://github.com/prasathmani/tinyfilemanager/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prasathmani/tinyfilemanager/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prasathmani | tiny_file_manager | 2.4.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "502A6A72-602E-4F50-B2F8-BC4280F13CAD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application\u0027s internal files. This is possible because the application is vulnerable to broken access control.\n\n\n"
},
{
"lang": "es",
"value": "La versi\u00f3n 2.4.8 de Tiny File Manager permite que un atacante remoto no autenticado acceda a los archivos internos de la aplicaci\u00f3n. Esto es posible porque la aplicaci\u00f3n es vulnerable a un control de acceso roto."
}
],
"id": "CVE-2022-45475",
"lastModified": "2025-12-31T19:40:50.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-25T18:15:11.563",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-23044
Vulnerability from fkie_nvd - Published: 2022-11-25 17:15 - Updated: 2025-12-31 19:40
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.
References
| URL | Tags | ||
|---|---|---|---|
| help@fluidattacks.com | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| help@fluidattacks.com | https://github.com/prasathmani/tinyfilemanager/ | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/mosey/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prasathmani/tinyfilemanager/ | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prasathmani | tiny_file_manager | 2.4.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "502A6A72-602E-4F50-B2F8-BC4280F13CAD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.\n\n\n"
},
{
"lang": "es",
"value": "La versi\u00f3n 2.4.8 de Tiny File Manager permite a un atacante remoto no autenticado persuadir a los usuarios para que realicen acciones no deseadas dentro de la aplicaci\u00f3n. Esto es posible porque la aplicaci\u00f3n es vulnerable a CSRF."
}
],
"id": "CVE-2022-23044",
"lastModified": "2025-12-31T19:40:50.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-25T17:15:10.637",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mosey/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-1000
Vulnerability from fkie_nvd - Published: 2022-03-17 11:15 - Updated: 2025-12-31 19:40
Severity ?
Summary
Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.
References
| URL | Tags | ||
|---|---|---|---|
| security@huntr.dev | https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prasathmani | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F80033DB-2C3F-4F99-9BF2-0196C6908C03",
"versionEndExcluding": "2.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7."
},
{
"lang": "es",
"value": "Un Salto de Ruta en el repositorio de GitHub prasathmani/tinyfilemanager versiones anteriores a 2.4.7"
}
],
"id": "CVE-2022-1000",
"lastModified": "2025-12-31T19:40:50.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-17T11:15:07.797",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/5995a93f-0c4b-4f7d-aa59-a64424219424"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-45010
Vulnerability from fkie_nvd - Published: 2022-03-15 12:15 - Updated: 2025-12-31 19:40
Severity ?
Summary
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prasathmani | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9FD4CBF-2FBB-42C1-AFED-39A6D206E1BB",
"versionEndIncluding": "2.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cruce de rutas en la funcionalidad de carga de archivos en tinyfilemanager.php en Tiny File Manager antes de la versi\u00f3n 2.4.7 permite a los atacantes remotos (con cuentas de usuario v\u00e1lidas) cargar archivos PHP maliciosos en la ra\u00edz web, lo que lleva a la ejecuci\u00f3n de c\u00f3digo"
}
],
"id": "CVE-2021-45010",
"lastModified": "2025-12-31T19:40:50.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-15T12:15:08.380",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://sploitus.com/exploit?id=1337DAY-ID-37364\u0026utm_source=rss\u0026utm_medium=rss"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-40965
Vulnerability from fkie_nvd - Published: 2021-09-15 18:15 - Updated: 2025-12-31 19:40
Severity ?
Summary
A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 | Third Party Advisory | |
| cve@mitre.org | https://github.com/prasathmani/tinyfilemanager | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prasathmani/tinyfilemanager | Product, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prasathmani | tiny_file_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B97C4E43-399D-4341-A054-15588F9E69A2",
"versionEndIncluding": "2.4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en TinyFileManager en Todas las versiones hasta 2.4.6 incluy\u00e9ndola, que permite a atacantes subir archivos y ejecutar comandos del Sistema Operativo induciendo al usuario administrador a navegar por una URL controlada por un atacante"
}
],
"id": "CVE-2021-40965",
"lastModified": "2025-12-31T19:40:50.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-15T18:15:09.470",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/prasathmani/tinyfilemanager"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}