Primary

Context

Tiny File Manager Session Fixation Vulnerability

Vulnerability

A session fixation vulnerability exists in Tiny File Manager versions through 2.4.7. This issue allows an attacker to manipulate session identifiers, potentially leading to unauthorized actions within the application.

Impact

Exploitation of this vulnerability allows for session fixation, where an attacker can set a user's session ID to a known value, potentially leading to unauthorized access or actions within the application.

Reproduction

To reproduce this vulnerability, log into Tiny File Manager. After logging in, intercept the response and modify the session cookie to a 26-character string, such as 'ThisIsDefinatelyIncorectId' or 'aaaaaabbbbbbddddddeeeeeerr'. Then, forward the response to the browser. After modifying the cookie, log out of the file manager. The session ID that was set earlier will still be valid, demonstrating the session fixation.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.0

exploitability

9.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.0

exploitability

9.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tiny File Manager Session Fixation Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Tiny File Manager

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating