Vulnerabilities (CVE)

Filtered by vendor Tinyfilemanager Project Subscribe
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-40966 1 Tinyfilemanager Project 1 Tinyfilemanager 2024-11-21 3.5 LOW 5.4 MEDIUM
A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server.
CVE-2021-40965 1 Tinyfilemanager Project 1 Tinyfilemanager 2024-11-21 9.3 HIGH 8.8 HIGH
A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.
CVE-2021-40964 1 Tinyfilemanager Project 1 Tinyfilemanager 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.