CVE-2022-23044
https://notcve.org/view.php?id=CVE-2022-23044
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. La versión 2.4.8 de Tiny File Manager permite a un atacante remoto no autenticado persuadir a los usuarios para que realicen acciones no deseadas dentro de la aplicación. Esto es posible porque la aplicación es vulnerable a CSRF. • https://fluidattacks.com/advisories/mosey https://github.com/prasathmani/tinyfilemanager • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-45475
https://notcve.org/view.php?id=CVE-2022-45475
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control. La versión 2.4.8 de Tiny File Manager permite que un atacante remoto no autenticado acceda a los archivos internos de la aplicación. Esto es posible porque la aplicación es vulnerable a un control de acceso roto. • https://fluidattacks.com/advisories/mosey https://github.com/prasathmani/tinyfilemanager •
CVE-2022-40721
https://notcve.org/view.php?id=CVE-2022-40721
Arbitrary file upload vulnerability in php uploader Una vulnerabilidad de carga de archivos Arbitrarios en php uploader • http://www.openwall.com/lists/oss-security/2022/10/03/3 http://www.vapidlabs.com/advisory.php?v=216 https://github.com/CreativeDream/php-uploader/issues/23%2C • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-36313 – file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop
https://notcve.org/view.php?id=CVE-2022-36313
An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack. Se ha detectado un problema en el paquete file-type versiones anteriores a 16.5.4 y 17.x anteriores a 17.1.3 para Node.js. Un archivo MKV malformado podía causar que el detector de tipo de archivo quedara atrapado en un bucle infinito. • https://github.com/sindresorhus/file-type/releases/tag/v16.5.4 https://github.com/sindresorhus/file-type/releases/tag/v17.1.3 https://security.netapp.com/advisory/ntap-20220909-0005 https://www.npmjs.com/package/file-type https://access.redhat.com/security/cve/CVE-2022-36313 https://bugzilla.redhat.com/show_bug.cgi?id=2159682 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2022-31527
https://notcve.org/view.php?id=CVE-2022-31527
The Wildog/flask-file-server repository through 2020-02-20 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio Wildog/flask-file-server versiones hasta 20-02-20 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •