CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-23044
https://notcve.org/view.php?id=CVE-2022-23044
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. La versión 2.4.8 de Tiny File Manager permite a un atacante remoto no autenticado persuadir a los usuarios para que realicen acciones no deseadas dentro de la aplicación. Esto es posible porque la aplicación es vulnerable a CSRF. • https://fluidattacks.com/advisories/mosey https://github.com/prasathmani/tinyfilemanager • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45476
https://notcve.org/view.php?id=CVE-2022-45476
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. La versión 2.4.8 de Tiny File Manager ejecuta el código de los archivos cargados por los usuarios de la aplicación, en lugar de simplemente devolverlos para su descarga. Esto es posible porque la aplicación es vulnerable a la carga de archivos no segura. • https://fluidattacks.com/advisories/mosey https://github.com/prasathmani/tinyfilemanager • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-40721
https://notcve.org/view.php?id=CVE-2022-40721
Arbitrary file upload vulnerability in php uploader Una vulnerabilidad de carga de archivos Arbitrarios en php uploader • http://www.openwall.com/lists/oss-security/2022/10/03/3 http://www.vapidlabs.com/advisory.php?v=216 https://github.com/CreativeDream/php-uploader/issues/23%2C • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36313 – file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop
https://notcve.org/view.php?id=CVE-2022-36313
An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack. Se ha detectado un problema en el paquete file-type versiones anteriores a 16.5.4 y 17.x anteriores a 17.1.3 para Node.js. Un archivo MKV malformado podía causar que el detector de tipo de archivo quedara atrapado en un bucle infinito. • https://github.com/sindresorhus/file-type/releases/tag/v16.5.4 https://github.com/sindresorhus/file-type/releases/tag/v17.1.3 https://security.netapp.com/advisory/ntap-20220909-0005 https://www.npmjs.com/package/file-type https://access.redhat.com/security/cve/CVE-2022-36313 https://bugzilla.redhat.com/show_bug.cgi?id=2159682 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31527
https://notcve.org/view.php?id=CVE-2022-31527
The Wildog/flask-file-server repository through 2020-02-20 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio Wildog/flask-file-server versiones hasta 20-02-20 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •