-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY: Stored Cross-site Scripting (XSS) Vulnerability detected in File Names #180
Comments
prasathmani
pushed a commit
that referenced
this issue
Jul 23, 2019
view file is insecure #187 Get files size (recursive) #186 There is no possibility for translation for some hints (title =) #185 View dirSize instead of word "Folder" #184 Document type detection #183 Stored Cross-site Scripting (XSS) Vulnerability detected in File Names #180 strings in code #177 Remove tracking #164
fixed |
Good to hear that the issue has been fixed! |
TheBinitGhimire
changed the title
Stored Cross-site Scripting (XSS) Vulnerability detected in File Names
SECURITY: Stored Cross-site Scripting (XSS) Vulnerability detected in File Names
Nov 24, 2020
ner00
pushed a commit
to ner00/tinyfilemanager
that referenced
this issue
May 7, 2023
view file is insecure prasathmani#187 Get files size (recursive) prasathmani#186 There is no possibility for translation for some hints (title =) prasathmani#185 View dirSize instead of word "Folder" prasathmani#184 Document type detection prasathmani#183 Stored Cross-site Scripting (XSS) Vulnerability detected in File Names prasathmani#180 strings in code prasathmani#177 Remove tracking prasathmani#164
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello @prasathmani!
I was able to discover a Stored Cross-site Scripting (XSS) vulnerability in the latest version of TinyFileManager that allows me to execute my HTML/JavaScript codes in the TinyFileManager itself.
Here are the steps to reproduce the vulnerability:
"><svg onload=alert(1)>.ext
(Replace 'ext' with the file extension)
This is how the Stored Cross-site Scripting (XSS) vulnerability can be reproduced and further exploited in the latest version of the TinyFileManager (/prasathmani/tinyfilemanager/).
I hope you would patch this issue during the next update to the file manager.
Thanks,
Binit Ghimire (@thebinitghimire)
The text was updated successfully, but these errors were encountered: