Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
Session fixation (CWE-384) occurs when an attacker is able to impose a pre-known session identifier on the victim before authentication. The application does not generate a new session identifier after successful user login, so an attacker who previously established the value of this identifier takes over the victim's authenticated session. As a result, the attacker gains access to the application with the privileges of the logged-in user without knowing their password.
An attacker can hijack the session of an authenticated user and gain full access to the managed file manager, which may result in reading, modifying or deleting files on the server and potential code execution.
Tiny File Manager should be updated to a version newer than 2.4.7. As an interim measure, it is recommended to restrict access to the application instance only to trusted networks or IP addresses and to monitor active sessions. Details of the fix are available in the vendor's repository.
Prasathmani Tiny File Manager version 2.4.7 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPrasathmani Tiny File Manager
APPPrasathmani≤ 2.4.7
Related vulnerabilities
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of ju...
Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform uninten...
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager be...
A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2....