tinyfilemanager

vulnerability cross site scripting
severity 7.6
language php
registry other

✍️ Description

Crss site scripting bug exist via file upload

🕵️‍♂️ Proof of Concept

  1. Upload a file and capture the request in burpsuite .
  2. Now change fullpath parameter value to xss payload in burpsuite and forward the request . and see xss is executed

Video poc

https://drive.google.com/file/d/1Be8T2qRZAsUNY0lVx7ZE05poygriw-io/view?usp=sharing

💥 Impact

XSS attack via file upload