CVE-2021-40964

Name of the Vulnerable Software and Affected Versions TinyFileManager versions up to and including 2.4.6

Description A Path Traversal issue exists that allows attackers to upload a file with the fullpath parameter containing path traversal strings (../ and ..) to escape the server's intended working directory and write malicious files onto any directory on the computer. This can be done with Admin credentials or by exploiting the CSRF vulnerability.

Recommendations For versions up to and including 2.4.6, consider disabling the file upload feature until a patch is available to prevent exploitation of the Path Traversal vulnerability. Restrict access to the fullpath parameter to minimize the risk of writing malicious files to unintended directories.