CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45476
https://notcve.org/view.php?id=CVE-2022-45476
25 Nov 2022 — Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. La versión 2.4.8 de Tiny File Manager ejecuta el código de los archivos cargados por los usuarios de la aplicación, en lugar de simplemente devolverlos para su descarga. Esto es posible porque la aplicación es vulnerable a la carga de archivos no segura. • https://fluidattacks.com/advisories/mosey • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-23044
https://notcve.org/view.php?id=CVE-2022-23044
25 Nov 2022 — Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. La versión 2.4.8 de Tiny File Manager permite a un atacante remoto no autenticado persuadir a los usuarios para que realicen acciones no deseadas dentro de la aplicación. Esto es posible porque la aplicación es vulnerable a CSRF. • https://fluidattacks.com/advisories/mosey • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39287 – Plaintext transmission of CSRF tokens in tiny-csrf
https://notcve.org/view.php?id=CVE-2022-39287
07 Oct 2022 — tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue. tiny-csrf es un middleware de protección contra ataques de tipo cross site request forgery (CSRF) de Node.js. • https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1846 – Tiny Contact Form <= 0.7 - Arbitrary Settings Update via CSRF
https://notcve.org/view.php?id=CVE-2022-1846
31 May 2022 — The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack El plugin Tiny Contact Form de WordPress versiones hasta 0.7, no presenta una comprobación de tipo CSRF cuando actualiza sus ajustes, lo que podría permitir a atacantes hacer que un administrador conectado los cambie por medio de un ataque de tipo CSRF • https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1000 – Path Traversal in prasathmani/tinyfilemanager
https://notcve.org/view.php?id=CVE-2022-1000
17 Mar 2022 — Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7. Un Salto de Ruta en el repositorio de GitHub prasathmani/tinyfilemanager versiones anteriores a 2.4.7 • https://github.com/prasathmani/tinyfilemanager/commit/154947ef83efeb68fc2b921065392b6a7fc9c965 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 75%CPEs: 1EXPL: 9CVE-2021-45010 – Tiny File Manager 2.4.6 - Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2021-45010
15 Mar 2022 — A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution. Una vulnerabilidad de cruce de rutas en la funcionalidad de carga de archivos en tinyfilemanager.php en Tiny File Manager antes de la versión 2.4.7 permite a los atacantes remotos (con cuentas de usuario válidas) cargar archivos PHP maliciosos en la raíz web, lo que ... • https://packetstorm.news/files/id/166330 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23562 – Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2021-23562
03 Dec 2021 — This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file. Esto afecta al paquete plupload versiones anteriores a 2.3.9. Un nombre de archivo que contenga código JavaScript podría ser cargado y ejecutado. • https://github.com/moxiecode/plupload/blob/master/js/jquery.plupload.queue/jquery.plupload.queue.js%23L226 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 15%CPEs: 1EXPL: 4CVE-2021-37573 – Tiny Java Web Server 1.115 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-37573
09 Aug 2021 — A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page Una vulnerabilidad de tipo cross-site scripting (XSS) reflejado en el servidor web TTiny Java Web Server and Servlet Container (TJWS) versiones anteriores a 1.115 incluyéndola, permite a un adversario inyectar código malicioso en la página de error "404 Page not Found" del servidor Tiny J... • https://packetstorm.news/files/id/163825 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36438
https://notcve.org/view.php?id=CVE-2020-36438
08 Aug 2021 — An issue was discovered in the tiny_future crate before 0.4.0 for Rust. Future<T> does not have bounds on its Send and Sync traits. Se ha detectado un problema en la crate tiny_future versiones anteriores a 0.4.0 para Rust. La función Future(T) no presente límites en sus rasgos Send y Sync • https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tiny_future/RUSTSEC-2020-0118.md • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-35884
https://notcve.org/view.php?id=CVE-2020-35884
31 Dec 2020 — An issue was discovered in the tiny_http crate through 2020-06-16 for Rust. HTTP Request smuggling can occur via a malformed Transfer-Encoding header. Se detectó un problema en la crate tiny_http hasta el 16-06-2020 para Rust. El tráfico no autorizado de peticiones HTTP puede ocurrir por medio de un encabezado Transfer-Encoding malformado. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M3JDNRE5RXJOWZZZF5QSCG4GUCSLTHF2 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •