Cross-site Scripting (XSS) - Generic in prasathmani/tinyfilemanager


Reported on

Feb 19th 2021

:book: Description

TinyFileManager is web based file manager and it is a simple, fast and small file manager with a single file, multi-language ready web application for storing, uploading, editing and managing files and folders online via web browser. The Application runs on PHP 5.5+, It allows the creation of multiple users and each user can have its own directory and a build-in support for managing text files with cloud9 IDE and it supports syntax highlighting for over 150+ languages and over 35+ themes. . This package is vulnerable for stored (XSS).

:recycle: Steps To Reproduce-:

  1. download and run latest release from Or use demo
  2. upload a filename with jscode. Payload used : "><img src=x onerror=alert(222)>.png

:telescope: POC

💥 Impact


to join this conversation