A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server.
References
Link | Resource |
---|---|
https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 | Third Party Advisory |
https://github.com/prasathmani/tinyfilemanager | Product Third Party Advisory |
https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 | Third Party Advisory |
https://github.com/prasathmani/tinyfilemanager | Product Third Party Advisory |
Configurations
History
21 Nov 2024, 06:25
Type | Values Removed | Values Added |
---|---|---|
References | () https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 - Third Party Advisory | |
References | () https://github.com/prasathmani/tinyfilemanager - Product, Third Party Advisory |
Information
Published : 2021-09-15 18:15
Updated : 2024-11-21 06:25
NVD link : CVE-2021-40966
Mitre link : CVE-2021-40966
CVE.ORG link : CVE-2021-40966
JSON object : View
Products Affected
tinyfilemanager_project
- tinyfilemanager
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')