[GH-ISSUE #180] SECURITY: Stored Cross-site Scripting (XSS) Vulnerability detected in File Names #125

New issue

Closed

opened 2026-03-02 15:55:59 +03:00 by kerem · 2 comments

kerem commented

2026-03-02 15:55:59 +03:00

Owner

Originally created by @TheBinitGhimire on GitHub (May 20, 2019).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/180

Hello @prasathmani!

I was able to discover a Stored Cross-site Scripting (XSS) vulnerability in the latest version of TinyFileManager that allows me to execute my HTML/JavaScript codes in the TinyFileManager itself.

Here are the steps to reproduce the vulnerability:

Upload TinyFileManager in your website or view it through local server and login to the platform in case $use_auth is 'true'.
Click on "New item" in the top-right corner and then create a new file.
After the file is created, click on the "Rename" icon next to the "Delete" icon corresponding to the file.
Enter the following XSS payload in the file name field:
"><svg onload=alert(1)>.ext
(Replace 'ext' with the file extension)
Now, click on "Ok" and when the platform saves the changes and reloads the page, your XSS payload will be executed.

This is how the Stored Cross-site Scripting (XSS) vulnerability can be reproduced and further exploited in the latest version of the TinyFileManager (/prasathmani/tinyfilemanager/).

I hope you would patch this issue during the next update to the file manager.

Thanks,
Binit Ghimire (@thebinitghimire)

Originally created by @TheBinitGhimire on GitHub (May 20, 2019). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/180 Hello @prasathmani! I was able to discover a **Stored Cross-site Scripting (XSS) vulnerability** in the latest version of TinyFileManager that allows me to execute my HTML/JavaScript codes in the TinyFileManager itself. Here are the steps to reproduce the vulnerability: 1. Upload TinyFileManager in your website or view it through local server and login to the platform in case $use_auth is 'true'. 2. Click on "**New item**" in the top-right corner and then create a new file. 3. After the file is created, click on the "Rename" icon next to the "Delete" icon corresponding to the file. 4. Enter the following XSS payload in the file name field: **`"><svg onload=alert(1)>.ext`** _(Replace 'ext' with the file extension)_ 5. Now, click on "**Ok**" and when the platform saves the changes and reloads the page, your XSS payload will be executed. ![Stored XSS vulnerability in tinyfilemanager](https://user-images.githubusercontent.com/20013689/58044324-31da2400-7b5f-11e9-8437-13c03107adb0.png) This is how the **Stored Cross-site Scripting (XSS) vulnerability** can be reproduced and further exploited in the latest version of the **TinyFileManager** (**[/prasathmani/tinyfilemanager/](https://github.com/prasathmani/tinyfilemanager/)**). I hope you would patch this issue during the next update to the file manager. Thanks, Binit Ghimire ([@thebinitghimire](https://github.com/thebinitghimire))