Lucene search
K
PrasathmaniTiny File Manager

16 matches found

CVE
CVE
added 2022/03/15 11:13 a.m.219 views

CVE-2021-45010

Tiny File Manager (prasathmani) contains a path traversal vulnerability in tinyfilemanager.php’s file-upload functionality up to v2.4.7. An authenticated user can upload PHP files and, due to a root-cause mismatch in the upload handler (saving via $_REQUEST['fullpath'] while validating via $_FILE...

8.8CVSS7.7AI score0.7008EPSS
CVE
CVE
added 2022/03/17 10:30 a.m.109 views

CVE-2022-1000

CVE-2022-1000 describes a path traversal vulnerability in the web-based Tiny File Manager project (prasathmani/tinyfilemanager) prior to version 2.4.7. According to connected sources, the flaw stems from how file uploads are handled when a file with the same name already exists: the code alters t...

9.8CVSS9.3AI score0.01864EPSS
CVE
CVE
added 2021/09/15 5:12 p.m.100 views

CVE-2021-40964

CVE-2021-40964 concerns TinyFileManager up to version 2.4.6, where a path traversal flaw in the fullpath parameter allows uploading files outside the intended working directory. The root cause is inadequate validation/escaping of fullpath, enabling an attacker to place malicious files in arbitrar...

6.5CVSS6.8AI score0.08235EPSS
CVE
CVE
added 2019/12/30 7:15 p.m.83 views

CVE-2019-16790

In Tiny File Manager, versions prior to 2.3.9 are affected by a remote code execution vulnerability exploitable via Upload from URL and Edit/Rename operations. The issue impacts authenticated users, with affected components being the Upload from URL and file-edit/rename paths. Root cause details ...

8.8CVSS7.9AI score0.01243EPSS
CVE
CVE
added 2020/04/28 9:1 p.m.83 views

CVE-2020-12102

CVE-2020-12102 concerns Tiny File Manager 2.4.1 where a Path Traversal vulnerability exists in the ajax recursive directory listing. This enables authenticated users to enumerate directories and files on the filesystem outside the application scope. Connected sources describe the same impact and ...

7.7CVSS7.3AI score0.0183EPSS
CVE
CVE
added 2020/04/28 9:7 p.m.80 views

CVE-2020-12103

Tiny File Manager 2.4.1 contains a vulnerability in the ajax file backup copy functionality that allows authenticated users to create backup copies (.bak) outside the intended scope in the same directory. The issue is due to a flaw in the backup copy feature. Remediation suggested in the connecte...

7.7CVSS7.3AI score0.01458EPSS
CVE
CVE
added 2022/11/25 12:0 a.m.71 views

CVE-2022-23044

CVE-2022-23044 affects Tiny File Manager 2.4.8 and is caused by a CSRF vulnerability that allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. The initial description confirms CSRF as the root cause and unauthenticated access, with prac...

8.8CVSS8.6AI score0.00419EPSS
CVE
CVE
added 2022/11/25 12:0 a.m.70 views

CVE-2022-45476

Tiny File Manager 2.4.8 is vulnerable to insecure file upload that allows server-side execution of uploaded code. Multiple sources describe unauthenticated remote code execution via processing uploaded files instead of serving them for download, enabling attackers to run arbitrary code on the ser...

9.8CVSS9.4AI score0.0098EPSS
CVE
CVE
added 2025/02/06 12:0 a.m.63 views

CVE-2022-40916

Tiny File Manager vulnerability CVE-2022-40916 affects version 2.4.7 and earlier, due to a session-management flaw that enables session fixation. The issue is documented as a high-severity (CVSS 9.8) risk with network attack potential and no user interaction required. Public references indicate a...

9.8CVSS7.1AI score0.00802EPSS
CVE
CVE
added 2022/11/25 12:0 a.m.63 views

CVE-2022-45475

Tiny File Manager 2.4.8 is affected by a broken access control vulnerability that allows an unauthenticated remote attacker to access internal files. The connected documents consistently identify the affected software and the access-control weakness, but do not provide concrete remediation steps ...

6.5CVSS6.5AI score0.00846EPSS
CVE
CVE
added 2025/05/23 12:0 a.m.63 views

CVE-2025-44998

CVE-2025-44998 is a stored XSS in TinyFileManager v2.4.7, triggered in the /tinyfilemanager.php component via the js-theme-3 parameter. The vulnerability allows injecting arbitrary JavaScript/HTML, with PoCs showing script execution across the page and up to the login screen. Public exploit/PoC e...

6.1CVSS5.9AI score0.00241EPSS
CVE
CVE
added 2025/02/06 12:0 a.m.56 views

CVE-2022-40490

CVE-2022-40490 affects Tiny File Manager v2.4.7 and earlier. A stored XSS flaw allows an attacker to execute arbitrary code by crafting a payload in a file name (uploaded or existing). The issue affects file-name handling and could enable code execution in affected deployments. Remediation is to ...

4.8CVSS7.1AI score0.00386EPSS
CVE
CVE
added 2021/09/15 5:10 p.m.49 views

CVE-2021-40966

Summary: CVE-2021-40966 affects TinyFileManager up to version 2.4.6. The stored XSS arises when a server processes a filename containing HTML/JavaScript, specifically via the /tinyfilemanager.php endpoint. The root cause described across sources is lack of proper validation/escaping of parameters...

5.4CVSS5.3AI score0.00538EPSS
CVE
CVE
added 2021/09/15 5:11 p.m.45 views

CVE-2021-40965

TinyFileManager is affected by a CSRF vulnerability up to version 2.4.6. The issue allows an attacker to induce an administrator to visit a URL controlled by the attacker, enabling file uploads and execution of OS commands. Concrete details across connected sources confirm the affected software/v...

9.3CVSS8.9AI score0.00596EPSS
CVE
CVE
added 2026/02/03 12:0 a.m.25 views

CVE-2025-46651

CVE-2025-46651 affects Tiny File Manager up to version 2.6, where a server-side request forgery (SSRF) exists in the URL upload feature due to insufficient validation of user-supplied URLs. An attacker can craft requests to localhost (e.g., via domains like http://www.127.0.0.1.example.com/), pot...

4.3CVSS5.5AI score0.00255EPSS
CVE
CVE
added 2025/12/28 1:32 p.m.17 views

CVE-2025-15138

TinyFileManager up to version 2.6 contains a path traversal flaw caused by manipulating the fullpath parameter in tinyfilemanager.php. The issue enables remote exploitation, with exploits published and the vendor reportedly unresponsive to disclosure. Public documents do not specify a patch versi...

7.2CVSS6AI score0.00557EPSS