CVE-2021-40966

Name of the Vulnerable Software and Affected Versions TinyFileManager versions up to and including 2.4.6

Description A Stored XSS issue exists in TinyFileManager when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code, which will run on any user's browser when they access the server. This occurs in the /tinyfilemanager.php endpoint.

Recommendations For versions up to and including 2.4.6, consider disabling the file upload feature in /tinyfilemanager.php until a patch is available to prevent exploitation of the Stored XSS issue. Restrict access to the /tinyfilemanager.php endpoint to minimize the risk of malicious file uploads. Avoid using filenames that contain HTML or javascript code in the affected TinyFileManager versions.