CVE-2021-40966 in TinyFileManagerinfo

Summary

by MITRE • 09/16/2021

A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 12/31/2025

The vulnerability identified as CVE-2021-40966 represents a critical stored cross-site scripting flaw within TinyFileManager version 2.4.6 and earlier. This issue arises from insufficient input validation and output sanitization mechanisms within the file manager's core functionality. The vulnerability specifically manifests when the system processes filenames containing HTML and javascript code, creating an environment where malicious payloads can be persistently stored and subsequently executed in users' browsers. The flaw exists in the /tinyfilemanager.php component, which serves as the primary interface for file operations within this web-based file management system.

The technical implementation of this vulnerability stems from the application's failure to properly sanitize user-supplied filenames before rendering them in the web interface. When a malicious actor uploads a file with a specially crafted filename containing javascript code, the system stores this data without adequate filtering or encoding. Subsequently, when legitimate users navigate to the file listing or interact with the file manager interface, the malicious script executes within their browser context. This stored nature of the vulnerability means that the payload remains active even after the initial upload, making it particularly dangerous as it can affect multiple users over time. The vulnerability directly maps to CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to sanitize user input before incorporating it into web pages.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform a wide range of malicious activities within the victim's browser environment. Attackers can leverage this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, redirect victims to malicious websites, or even deliver additional malware payloads. The attack vector requires only a single file upload with malicious filename content, making it relatively simple to exploit. This vulnerability effectively compromises the integrity of the file management system and can lead to complete browser compromise, especially when combined with other attack techniques. The threat landscape for this vulnerability aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, where malicious file uploads serve as initial access vectors.

Mitigation strategies for CVE-2021-40966 must address both immediate remediation and long-term architectural improvements. The most effective immediate solution involves upgrading to TinyFileManager version 2.4.7 or later, which includes proper input sanitization and output encoding mechanisms. Organizations should implement strict filename validation that strips or encodes potentially dangerous characters including angle brackets, quotes, and javascript keywords. Additionally, the system should employ Content Security Policy headers to limit script execution capabilities and implement proper output encoding for all user-supplied content rendered in web interfaces. Network-level protections such as web application firewalls can provide additional defense-in-depth, though they should not be relied upon as the sole mitigation strategy. Regular security audits and input validation testing should be conducted to ensure similar vulnerabilities do not exist in other components of the system. The remediation process should also include user education about the risks of uploading untrusted files and the importance of maintaining updated software versions.

Reservation

09/13/2021

Disclosure

09/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00520

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!