CVE-2021-40965

HIGH

TinyFileManager <= 2.4.6 - Cross-Site Request Forgery

Title source: llm

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.

References (2)

Core 2

Core References

Product, Third Party Advisory x_refsource_misc

https://github.com/prasathmani/tinyfilemanager

View Writeup ZIP pw:eip

Third Party Advisory x_refsource_misc

https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528

Scores

CVSS v3 8.8

EPSS 0.0058

EPSS Percentile 43.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (1)

prasathmani/tiny_file_manager < 2.4.6

Published Sep 15, 2021

Tracked Since Feb 18, 2026