CVE-2021-40966

A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server.
Configurations

Configuration 1 (hide)

cpe:2.3:a:tinyfilemanager_project:tinyfilemanager:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:25

Type Values Removed Values Added
References () https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 - Third Party Advisory () https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 - Third Party Advisory
References () https://github.com/prasathmani/tinyfilemanager - Product, Third Party Advisory () https://github.com/prasathmani/tinyfilemanager - Product, Third Party Advisory

Information

Published : 2021-09-15 18:15

Updated : 2024-11-21 06:25


NVD link : CVE-2021-40966

Mitre link : CVE-2021-40966

CVE.ORG link : CVE-2021-40966


JSON object : View

Products Affected

tinyfilemanager_project

  • tinyfilemanager
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')