CRITICAL🇵🇱 Wersja polska

CVE-2022-40916

CVSS 9.8v3.1pub. 2025-02-06upd. 2025-12-31

Tiny File Manager v2.4.7 and below is vulnerable to session fixation.

🤖 AI Analysis
How it works

Session fixation (CWE-384) occurs when an attacker is able to impose a pre-known session identifier on the victim before authentication. The application does not generate a new session identifier after successful user login, so an attacker who previously established the value of this identifier takes over the victim's authenticated session. As a result, the attacker gains access to the application with the privileges of the logged-in user without knowing their password.

Impact

An attacker can hijack the session of an authenticated user and gain full access to the managed file manager, which may result in reading, modifying or deleting files on the server and potential code execution.

Mitigation & patch

Tiny File Manager should be updated to a version newer than 2.4.7. As an interim measure, it is recommended to restrict access to the application instance only to trusted networks or IP addresses and to monitor active sessions. Details of the fix are available in the vendor's repository.

Who is affected

Prasathmani Tiny File Manager version 2.4.7 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Prasathmani Tiny File Manager

    APP
    Prasathmani
    ≤ 2.4.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-45476CRITICAL9.8ten sam produkt

Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of ju...

CVE-2022-1000CRITICAL9.8ten sam produkt

Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.

CVE-2022-23044HIGH8.8ten sam produkt

Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform uninten...

CVE-2021-45010HIGH8.8ten sam produkt

A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager be...

CVE-2021-40965HIGH8.8ten sam produkt

A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2....