CVE-2021-40964
published 2021-09-15CVE-2021-40964: A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials…
PriorityP351medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EXPLOIT
EPSS
8.24%
94.2th percentile
A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prasathmani | tiny_file_manager | <= 2.4.6 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.htmlhttps://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528https://github.com/prasathmani/tinyfilemanagerhttp://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.htmlhttps://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528https://github.com/prasathmani/tinyfilemanager
2021-09-15
Published