CVE-2022-45476

Опубликовано: 25 нояб. 2022

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.

Ссылки

https://fluidattacks.com/advisories/mosey/
Exploit
Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/
Product
https://fluidattacks.com/advisories/mosey/
Exploit
Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:prasathmani:tiny_file_manager:2.4.8:*:*:*:*:*:*:*

EPSS

Процентиль: 75%

0.00898

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-jhxp-cmcc-wrx8

CVSS3: 8.8

github

около 3 лет назад

Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application is vulnerable to CSRF, processes uploaded files server-side (instead of just returning them for download), and allows unauthenticated users to access uploaded files.