cnvd - cnvd-2021-80269

CNVD-2021-80269

Vulnerability from cnvd - Published: 2021-10-26

Title

TinyFileManager跨站请求伪造漏洞

Description

TinyFileManager是一个基于Web的文件管理器。用于通过Web浏览器在线存储、上传、编辑和管理文件和文件夹。 TinyFileManager 2.4.6及以下所有版本存在跨站请求伪造漏洞，攻击者可利用该漏洞可以通过诱导Administrator用户浏览攻击者控制的URL来上传文件和运行操作系统命令。

Severity

高

Patch Name

TinyFileManager跨站请求伪造漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/prasathmani/tinyfilemanager

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-40965

Impacted products

Name
TinyFileManager TinyFileManager <=2.4.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-40965"
    }
  },
  "description": "TinyFileManager\u662f\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u6587\u4ef6\u7ba1\u7406\u5668\u3002\u7528\u4e8e\u901a\u8fc7Web\u6d4f\u89c8\u5668\u5728\u7ebf\u5b58\u50a8\u3001\u4e0a\u4f20\u3001\u7f16\u8f91\u548c\u7ba1\u7406\u6587\u4ef6\u548c\u6587\u4ef6\u5939\u3002\n\nTinyFileManager 2.4.6\u53ca\u4ee5\u4e0b\u6240\u6709\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u901a\u8fc7\u8bf1\u5bfcAdministrator\u7528\u6237\u6d4f\u89c8\u653b\u51fb\u8005\u63a7\u5236\u7684URL\u6765\u4e0a\u4f20\u6587\u4ef6\u548c\u8fd0\u884c\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/prasathmani/tinyfilemanager",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-80269",
  "openTime": "2021-10-26",
  "patchDescription": "TinyFileManager\u662f\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u6587\u4ef6\u7ba1\u7406\u5668\u3002\u7528\u4e8e\u901a\u8fc7Web\u6d4f\u89c8\u5668\u5728\u7ebf\u5b58\u50a8\u3001\u4e0a\u4f20\u3001\u7f16\u8f91\u548c\u7ba1\u7406\u6587\u4ef6\u548c\u6587\u4ef6\u5939\u3002\r\n\r\nTinyFileManager 2.4.6\u53ca\u4ee5\u4e0b\u6240\u6709\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u901a\u8fc7\u8bf1\u5bfcAdministrator\u7528\u6237\u6d4f\u89c8\u653b\u51fb\u8005\u63a7\u5236\u7684URL\u6765\u4e0a\u4f20\u6587\u4ef6\u548c\u8fd0\u884c\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "TinyFileManager\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "TinyFileManager TinyFileManager \u003c=2.4.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-40965",
  "serverity": "\u9ad8",
  "submitTime": "2021-09-17",
  "title": "TinyFileManager\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

CVE-2021-40965 (GCVE-0-2021-40965)

Vulnerability from cvelistv5 – Published: 2021-09-15 17:11 – Updated: 2024-08-04 02:59

Summary

A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/prasathmani/tinyfilemanager	x_refsource_MISC
	https://gist.github.com/omriinbar/953368dcdd9e5ee…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:30.870Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/prasathmani/tinyfilemanager"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-15T17:11:27",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/prasathmani/tinyfilemanager"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-40965",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/prasathmani/tinyfilemanager",
              "refsource": "MISC",
              "url": "https://github.com/prasathmani/tinyfilemanager"
            },
            {
              "name": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528",
              "refsource": "MISC",
              "url": "https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-40965",
    "datePublished": "2021-09-15T17:11:27",
    "dateReserved": "2021-09-13T00:00:00",
    "dateUpdated": "2024-08-04T02:59:30.870Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-80269

CVE-2021-40965 (GCVE-0-2021-40965)

Tags

Sightings

Nomenclature