CVE-2021-45010: Path Traversal
First published: Tue Mar 15 2022(Updated: )
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Tinyfilemanager | <=2.4.7 |
Remedy
https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html
- https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/
- https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh
- https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7
- https://github.com/prasathmani/tinyfilemanager/pull/636
- https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1
- https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh
- https://sploitus.com/exploit?id=1337DAY-ID-37364&utm_source=rss&utm_medium=rss
Frequently Asked Questions
What is the severity of CVE-2021-45010?
CVE-2021-45010 is rated as critical due to its potential to allow remote code execution.
How do I fix CVE-2021-45010?
To fix CVE-2021-45010, upgrade Tiny File Manager to version 2.4.8 or later where the vulnerability has been patched.
What type of attack does CVE-2021-45010 allow?
CVE-2021-45010 allows remote authenticated attackers to upload malicious PHP files, leading to code execution.
Who is affected by CVE-2021-45010?
CVE-2021-45010 affects users of Tiny File Manager versions prior to 2.4.7.
What file is involved in the vulnerability CVE-2021-45010?
The vulnerability CVE-2021-45010 is present in the file upload functionality of tinyfilemanager.php.
- agent/references
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/tiny file manager project
- canonical/tinyfilemanager
- version/tinyfilemanager/2.4.7