CVE-2021-45010 – This is an authenticated path traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2021-45010?

CVE-2021-45010 has a CVSS score of 8.8 (HIGH). This is an authenticated path traversal vulnerability in Tiny File Manager that allows users with valid accounts to upload malicious PHP files to the webroot directory. Successful exploitation leads to remote code execution on the server. Any system running vulnerable versions of Tiny File Manager with file upload functionality enabled is affected.

📋 TL;DR

This is an authenticated path traversal vulnerability in Tiny File Manager that allows users with valid accounts to upload malicious PHP files to the webroot directory. Successful exploitation leads to remote code execution on the server. Any system running vulnerable versions of Tiny File Manager with file upload functionality enabled is affected.

💻 Affected Systems

Products:

Tiny File Manager

Versions: All versions before 2.4.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication but default credentials are often unchanged (admin:admin@123). File upload functionality must be enabled.

📦 What is this software?

Tiny File Manager by Prasathmani

View all CVEs affecting Tiny File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary code, steal data, install backdoors, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Webshell deployment leading to data exfiltration, credential theft, and further lateral movement within the network.

🟢

If Mitigated

Limited impact if proper file upload restrictions, web application firewalls, and least privilege access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Multiple public exploits available including shell upload scripts. Requires valid credentials but default credentials are commonly used.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.7

Vendor Advisory: https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7

Restart Required: No

Instructions:

1. Download Tiny File Manager version 2.4.7 or later from the official GitHub repository. 2. Replace the existing tinyfilemanager.php file with the patched version. 3. Verify the fix by checking the version number in the application.

🔧 Temporary Workarounds

Disable file upload functionality

all

Temporarily disable file uploads in Tiny File Manager configuration

Edit tinyfilemanager.php and set 'allow_upload' to false in configuration section

Restrict upload directory permissions

linux

Set strict permissions on upload directories to prevent PHP execution

chmod 755 /path/to/tinyfilemanager/uploads
chown www-data:www-data /path/to/tinyfilemanager/uploads

🧯 If You Can't Patch

Change default credentials and enforce strong password policies
Implement web application firewall rules to block path traversal attempts and PHP file uploads

🔍 How to Verify

Check if Vulnerable:

Check the version number in tinyfilemanager.php file header or login page. Versions below 2.4.7 are vulnerable.

Check Version:

grep -i 'version' tinyfilemanager.php | head -1

Verify Fix Applied:

Attempt to upload a PHP file with path traversal payload (e.g., '../../shell.php') - should be blocked in patched versions.

📡 Detection & Monitoring

Log Indicators:

File upload attempts with '..' sequences in filenames
PHP file uploads to non-standard directories
Multiple failed login attempts followed by successful upload

Network Indicators:

POST requests to upload endpoint with suspicious filenames
HTTP requests to newly uploaded PHP files

SIEM Query:

source="web_logs" AND (uri="*/tinyfilemanager.php*" AND (method="POST" AND (filename="*..*" OR filename="*.php")))

📊 Metadata

CVE ID: CVE-2021-45010

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: March 15, 2022

Last Updated: December 31, 2025

🔗 References

http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html Exploit,Third Party Advisory,VDB Entry
https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/ Patch,Third Party Advisory
https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh Exploit,Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7 Patch,Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/pull/636 Patch,Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1 Patch,Third Party Advisory
https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh Exploit,Third Party Advisory
https://sploitus.com/exploit?id=1337DAY-ID-37364&utm_source=rss&utm_medium=rss Exploit,Third Party Advisory
http://packetstormsecurity.com/files/166330/Tiny-File-Manager-2.4.6-Shell-Upload.html Exploit,Third Party Advisory,VDB Entry
https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/ Patch,Third Party Advisory
https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/raw/main/exploit.sh Exploit,Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/commit/2046bbde72ed76af0cfdcae082de629bcc4b44c7 Patch,Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/pull/636 Patch,Third Party Advisory
https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1 Patch,Third Party Advisory
https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.6-exploit/main/exploit.sh Exploit,Third Party Advisory
https://sploitus.com/exploit?id=1337DAY-ID-37364&utm_source=rss&utm_medium=rss Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45010, you might also want to check these: