CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16790 – Remote Code Execution in Tiny File Manager
https://notcve.org/view.php?id=CVE-2019-16790
In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted. En Tiny File Manager versiones anteriores a la versión 2.3.9, Hay una ejecución de código remota por medio Upload desde URL y Edit/Rename files. Solo los usuarios autenticados están afectados. • https://github.com/prasathmani/tinyfilemanager/commit/9a499734c5084e3c2eb505f100d50baac1793bd8 https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19041 – Media File Manager <= 1.4.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-19041
The Media File Manager plugin 1.4.2 for WordPress allows XSS via the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI. El plugin Media File Manager 1.4.2 para WordPress permite Cross-Site Scripting (XSS) en el parámetro dir de una acción mrelocator_getdir en el URI wp-admin/admin-ajax.php. • https://www.exploit-db.com/exploits/45809 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19043 – Media File Manager <= 1.4.2 - Directory Traversal to Arbitrary File Read
https://notcve.org/view.php?id=CVE-2018-19043
The Media File Manager plugin 1.4.2 for WordPress allows arbitrary file renaming (specifying a "from" and "to" filename) via a ../ directory traversal in the dir parameter of an mrelocator_rename action to the wp-admin/admin-ajax.php URI. El plugin Media File Manager 1.4.2 para WordPress permite renombrar archivos arbitrarios (especificando un nombre de archivo "from" y "to") mediante un salto de directorio por ../ en el parámetro dir de una acción mrelocator_rename en el URI wp-admin/admin-ajax.php. The Media File Manager plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 1.4.2 via the dir parameter. This allows attackers to read the contents of arbitrary files on the server, which can contain sensitive information. • https://www.exploit-db.com/exploits/45809 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19040 – Media File Manager <= 1.4.2 - Directory Traversal to Directory Listing
https://notcve.org/view.php?id=CVE-2018-19040
The Media File Manager plugin 1.4.2 for WordPress allows directory listing via a ../ directory traversal in the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI. El plugin Media File Manager 1.4.2 para WordPress permite el listado de directorios mediante un salto de directorio por ../ en el parámetro dir de una acción mrelocator_getdir en el URI wp-admin/admin-ajax.php. The Media File Manager plugin up to and including version 1.4.2 for WordPress allows directory listing via a ../ directory traversal in the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI • https://www.exploit-db.com/exploits/45809 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19042 – Media File Manager <= 1.4.2 - Directory Traversal to Arbitrary File Relocation
https://notcve.org/view.php?id=CVE-2018-19042
The Media File Manager plugin 1.4.2 for WordPress allows arbitrary file movement via a ../ directory traversal in the dir_from and dir_to parameters of an mrelocator_move action to the wp-admin/admin-ajax.php URI. El plugin Media File Manager 1.4.2 para WordPress permite el movimiento de archivos arbitrario mediante un salto de directorio por ../ en los parámetros dir_from y dir_to de una acción mrelocator_move en el URI wp-admin/admin-ajax.php. • https://www.exploit-db.com/exploits/45809 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •