{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-45476", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "assignerShortName": "Fluid Attacks", "dateUpdated": "2024-08-03T14:17:03.575Z", "dateReserved": "2022-11-18T00:00:00", "datePublished": "2022-11-25T00:00:00"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Tiny File Manager", "vendor": "n/a", "versions": [{"status": "affected", "version": "2.4.8"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.<br></p>"}], "value": "Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\n\n\n"}], "problemTypes": [{"descriptions": [{"description": "Remote command execution", "lang": "en"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2022-12-05T12:08:51.944Z"}, "references": [{"url": "https://github.com/prasathmani/tinyfilemanager/"}, {"url": "https://fluidattacks.com/advisories/mosey/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:17:03.575Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/prasathmani/tinyfilemanager/", "tags": ["x_transferred"]}, {"url": "https://fluidattacks.com/advisories/mosey/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tiny_file_manager_project:tiny_file_manager:2.4.8:*:*:*:*:*:*:*", "matchCriteriaId": "A57BAA59-F664-45DE-92C0-0EDBA5198FE5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.\n\n\n"}, {"lang": "es", "value": "La versi\u00f3n 2.4.8 de Tiny File Manager ejecuta el c\u00f3digo de los archivos cargados por los usuarios de la aplicaci\u00f3n, en lugar de simplemente devolverlos para su descarga. Esto es posible porque la aplicaci\u00f3n es vulnerable a la carga de archivos no segura."}], "id": "CVE-2022-45476", "lastModified": "2023-11-07T03:54:44.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-25T18:15:11.630", "references": [{"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/mosey/"}, {"source": "help@fluidattacks.com", "tags": ["Product"], "url": "https://github.com/prasathmani/tinyfilemanager/"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}