Path Traversal Vulnerability in TinyFileManager Allows Arbitrary File Upload and Directory Traversal

Path Traversal Vulnerability in TinyFileManager Allows Arbitrary File Upload and Directory Traversal

CVE-2021-40964 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.

Learn more about our Cis Benchmark Audit For Server Software.