Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application is vulnerable to CSRF, processes uploaded files server-side (instead of just returning them for download), and allows unauthenticated users to access uploaded files.
References
Link | Resource |
---|---|
https://fluidattacks.com/advisories/mosey/ | Exploit Third Party Advisory |
https://github.com/prasathmani/tinyfilemanager/ | Exploit Issue Tracking Third Party Advisory |
https://fluidattacks.com/advisories/mosey/ | Exploit Third Party Advisory |
https://github.com/prasathmani/tinyfilemanager/ | Exploit Issue Tracking Third Party Advisory |
Configurations
History
21 Nov 2024, 06:47
Type | Values Removed | Values Added |
---|---|---|
References | () https://fluidattacks.com/advisories/mosey/ - Exploit, Third Party Advisory | |
References | () https://github.com/prasathmani/tinyfilemanager/ - Exploit, Issue Tracking, Third Party Advisory |
30 Nov 2022, 21:27
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:2.4.8:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
References | (MISC) https://github.com/prasathmani/tinyfilemanager/ - Exploit, Issue Tracking, Third Party Advisory | |
References | (MISC) https://fluidattacks.com/advisories/mosey/ - Exploit, Third Party Advisory | |
CWE | CWE-352 |
25 Nov 2022, 18:42
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-25 17:15
Updated : 2025-04-25 18:15
NVD link : CVE-2022-23044
Mitre link : CVE-2022-23044
CVE.ORG link : CVE-2022-23044
JSON object : View
Products Affected
tiny_file_manager_project
- tiny_file_manager
CWE
CWE-352
Cross-Site Request Forgery (CSRF)