Vulnerability Details CVE-2021-40964
A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.043
EPSS Ranking 88.4%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.3
References
- http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html
- https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528
- https://github.com/prasathmani/tinyfilemanager
- http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html
- https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528
- https://github.com/prasathmani/tinyfilemanager
Products affected by CVE-2021-40964
-
cpe:2.3:a:tinyfilemanager_project:tinyfilemanager:2.4.6