Vulnerability CVE-2021-45010


Published: 2022-03-15

Description:
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.

Type:

CWE-22

(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Tiny file manager project -> Tiny file manager 

 References:
https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7
https://github.com/prasathmani/tinyfilemanager/pull/636
https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh
https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1
https://sploitus.com/exploit?id=1337DAY-ID-37364&utm_source=rss&utm_medium=rss
https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh
https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/
http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html

Copyright 2024, cxsecurity.com

 

Back to Top