16 matches found
CVE-2021-45010
Tiny File Manager (prasathmani) contains a path traversal vulnerability in tinyfilemanager.php’s file-upload functionality up to v2.4.7. An authenticated user can upload PHP files and, due to a root-cause mismatch in the upload handler (saving via $_REQUEST['fullpath'] while validating via $_FILE...
CVE-2022-1000
CVE-2022-1000 describes a path traversal vulnerability in the web-based Tiny File Manager project (prasathmani/tinyfilemanager) prior to version 2.4.7. According to connected sources, the flaw stems from how file uploads are handled when a file with the same name already exists: the code alters t...
CVE-2021-40964
CVE-2021-40964 concerns TinyFileManager up to version 2.4.6, where a path traversal flaw in the fullpath parameter allows uploading files outside the intended working directory. The root cause is inadequate validation/escaping of fullpath, enabling an attacker to place malicious files in arbitrar...
CVE-2019-16790
In Tiny File Manager, versions prior to 2.3.9 are affected by a remote code execution vulnerability exploitable via Upload from URL and Edit/Rename operations. The issue impacts authenticated users, with affected components being the Upload from URL and file-edit/rename paths. Root cause details ...
CVE-2020-12102
CVE-2020-12102 concerns Tiny File Manager 2.4.1 where a Path Traversal vulnerability exists in the ajax recursive directory listing. This enables authenticated users to enumerate directories and files on the filesystem outside the application scope. Connected sources describe the same impact and ...
CVE-2020-12103
Tiny File Manager 2.4.1 contains a vulnerability in the ajax file backup copy functionality that allows authenticated users to create backup copies (.bak) outside the intended scope in the same directory. The issue is due to a flaw in the backup copy feature. Remediation suggested in the connecte...
CVE-2022-23044
CVE-2022-23044 affects Tiny File Manager 2.4.8 and is caused by a CSRF vulnerability that allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. The initial description confirms CSRF as the root cause and unauthenticated access, with prac...
CVE-2022-45476
Tiny File Manager 2.4.8 is vulnerable to insecure file upload that allows server-side execution of uploaded code. Multiple sources describe unauthenticated remote code execution via processing uploaded files instead of serving them for download, enabling attackers to run arbitrary code on the ser...
CVE-2022-40916
Tiny File Manager vulnerability CVE-2022-40916 affects version 2.4.7 and earlier, due to a session-management flaw that enables session fixation. The issue is documented as a high-severity (CVSS 9.8) risk with network attack potential and no user interaction required. Public references indicate a...
CVE-2022-45475
Tiny File Manager 2.4.8 is affected by a broken access control vulnerability that allows an unauthenticated remote attacker to access internal files. The connected documents consistently identify the affected software and the access-control weakness, but do not provide concrete remediation steps ...
CVE-2025-44998
CVE-2025-44998 is a stored XSS in TinyFileManager v2.4.7, triggered in the /tinyfilemanager.php component via the js-theme-3 parameter. The vulnerability allows injecting arbitrary JavaScript/HTML, with PoCs showing script execution across the page and up to the login screen. Public exploit/PoC e...
CVE-2022-40490
CVE-2022-40490 affects Tiny File Manager v2.4.7 and earlier. A stored XSS flaw allows an attacker to execute arbitrary code by crafting a payload in a file name (uploaded or existing). The issue affects file-name handling and could enable code execution in affected deployments. Remediation is to ...
CVE-2021-40966
Summary: CVE-2021-40966 affects TinyFileManager up to version 2.4.6. The stored XSS arises when a server processes a filename containing HTML/JavaScript, specifically via the /tinyfilemanager.php endpoint. The root cause described across sources is lack of proper validation/escaping of parameters...
CVE-2021-40965
TinyFileManager is affected by a CSRF vulnerability up to version 2.4.6. The issue allows an attacker to induce an administrator to visit a URL controlled by the attacker, enabling file uploads and execution of OS commands. Concrete details across connected sources confirm the affected software/v...
CVE-2025-46651
CVE-2025-46651 affects Tiny File Manager up to version 2.6, where a server-side request forgery (SSRF) exists in the URL upload feature due to insufficient validation of user-supplied URLs. An attacker can craft requests to localhost (e.g., via domains like http://www.127.0.0.1.example.com/), pot...
CVE-2025-15138
TinyFileManager up to version 2.6 contains a path traversal flaw caused by manipulating the fullpath parameter in tinyfilemanager.php. The issue enables remote exploitation, with exploits published and the vendor reportedly unresponsive to disclosure. Public documents do not specify a patch versi...