CVE-2021-40965 – This CSRF vulnerability in TinyFileManager allo... (How to Fix)

Q: What is the severity of CVE-2021-40965?

CVE-2021-40965 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in TinyFileManager allows attackers to trick authenticated administrators into executing malicious requests, leading to arbitrary file uploads and remote code execution. All versions up to 2.4.6 are affected when an administrator visits a malicious URL while logged in.

📋 TL;DR

This CSRF vulnerability in TinyFileManager allows attackers to trick authenticated administrators into executing malicious requests, leading to arbitrary file uploads and remote code execution. All versions up to 2.4.6 are affected when an administrator visits a malicious URL while logged in.

💻 Affected Systems

Products:

TinyFileManager

Versions: All versions up to and including 2.4.6

Operating Systems: Any OS running TinyFileManager

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator to be authenticated and visit attacker-controlled URL.

📦 What is this software?

Tiny File Manager by Prasathmani

View all CVEs affecting Tiny File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Unauthorized file upload leading to webshell deployment and subsequent command execution on the server.

🟢

If Mitigated

Attack fails due to CSRF protections or administrator not being logged in during malicious URL visit.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires social engineering to get administrator to click malicious link while authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.7 and later

Vendor Advisory: https://github.com/prasathmani/tinyfilemanager

Restart Required: No

Instructions:

1. Backup current installation. 2. Download latest version from GitHub. 3. Replace files with patched version. 4. Verify functionality.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection to file upload and command execution endpoints

Manual code modification required - implement anti-CSRF tokens in forms

Restrict Administrator Access

all

Limit administrator access to trusted networks only

Configure firewall rules to restrict TinyFileManager admin interface

🧯 If You Can't Patch

Implement web application firewall with CSRF protection rules
Require re-authentication for sensitive actions like file uploads

🔍 How to Verify

Check if Vulnerable:

Check TinyFileManager version in config.php or about page

Check Version:

grep -i 'version' config.php || check web interface about page

Verify Fix Applied:

Verify version is 2.4.7 or higher and test CSRF protection on upload forms

📡 Detection & Monitoring

Log Indicators:

Unexpected file uploads via POST requests
Command execution attempts in web server logs

Network Indicators:

CSRF attack patterns with malicious referrer headers
Unexpected file uploads to TinyFileManager

SIEM Query:

source="web_logs" AND (uri="/tinyfilemanager/upload.php" OR uri CONTAINS "tinyfilemanager") AND method="POST" AND NOT user_agent="browser"

📊 Metadata

CVE ID: CVE-2021-40965

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: September 15, 2021

Last Updated: December 31, 2025

🔗 References

https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 Third Party Advisory
https://github.com/prasathmani/tinyfilemanager Product,Third Party Advisory
https://gist.github.com/omriinbar/953368dcdd9e5eeefd83920166099528 Third Party Advisory
https://github.com/prasathmani/tinyfilemanager Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40965, you might also want to check these: