Cross-site Scripting (XSS) - Generic in prasathmani/tinyfilemanager

Valid

Reported on

Apr 16th 2021


✍️ Description

Crss site scripting bug exist via file upload

🕵️‍♂️ Proof of Concept

  1. Upload a file and capture the request in burpsuite .
  2. Now change fullpath parameter value to xss payload in burpsuite and forward the request . and see xss is executed

Video poc

https://drive.google.com/file/d/1Be8T2qRZAsUNY0lVx7ZE05poygriw-io/view?usp=sharing

💥 Impact

XSS attack via file upload

Prasath Mani
a year ago

Maintainer


Issue fixed https://github.com/prasathmani/tinyfilemanager/commit/a04567d3baaf5881d370d50e703fc3fbb8aebaeb

to join this conversation