CVE-2022-45476

Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://fluidattacks.com/advisories/mosey/	Exploit Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/	Product
https://fluidattacks.com/advisories/mosey/	Exploit Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:prasathmani:tiny_file_manager:2.4.8:*:*:*:*:*:*:*

History

31 Dec 2025, 19:40

Type	Values Removed	Values Added
First Time		Prasathmani tiny File Manager Prasathmani
CPE	cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:2.4.8:::::::*	cpe:2.3:a:prasathmani:tiny_file_manager:2.4.8:::::::*

21 Nov 2024, 07:29

Type	Values Removed	Values Added
References	~~() https://fluidattacks.com/advisories/mosey/ - Exploit, Third Party Advisory~~	() https://fluidattacks.com/advisories/mosey/ - Exploit, Third Party Advisory
References	~~() https://github.com/prasathmani/tinyfilemanager/ - Product~~	() https://github.com/prasathmani/tinyfilemanager/ - Product

07 Nov 2023, 03:54

Type	Values Removed	Values Added
Summary	Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.	Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.

Information

Published : 2022-11-25 18:15

Updated : 2025-12-31 19:40

NVD link : CVE-2022-45476

Mitre link : CVE-2022-45476

CVE.ORG link : CVE-2022-45476

JSON object : View

Products Affected

prasathmani

tiny_file_manager

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2022-45476", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-11-25T18:15:11.630", "references": [{"url": "https://fluidattacks.com/advisories/mosey/", "tags": ["Exploit", "Third Party Advisory"], "source": "help@fluidattacks.com"}, {"url": "https://github.com/prasathmani/tinyfilemanager/", "tags": ["Product"], "source": "help@fluidattacks.com"}, {"url": "https://fluidattacks.com/advisories/mosey/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/prasathmani/tinyfilemanager/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\n\n\n"}, {"lang": "es", "value": "La versi\u00f3n 2.4.8 de Tiny File Manager ejecuta el c\u00f3digo de los archivos cargados por los usuarios de la aplicaci\u00f3n, en lugar de simplemente devolverlos para su descarga. Esto es posible porque la aplicaci\u00f3n es vulnerable a la carga de archivos no segura."}], "lastModified": "2025-12-31T19:40:50.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:prasathmani:tiny_file_manager:2.4.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "502A6A72-602E-4F50-B2F8-BC4280F13CAD"}], "operator": "OR"}]}], "sourceIdentifier": "help@fluidattacks.com"}