CVE-2022-40916

CriticalPublic PoC

Published: 06 February 2025

Published

06 February 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0057 68.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Tiny File Manager v2.4.7 and below is vulnerable to session fixation.

Security Summary

CVE-2022-40916 is a session fixation vulnerability affecting Tiny File Manager versions 2.4.7 and below. This issue, linked to CWE-384, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact across confidentiality, integrity, and availability.

The vulnerability enables remote attackers to exploit it over the network with low attack complexity, requiring no authentication privileges or user interaction. By fixing a session identifier, an attacker can hijack authenticated sessions, achieving high-impact unauthorized access, data manipulation, and disruption of the file manager's operations.

Mitigation details and patches are available in the Tiny File Manager GitHub repository at https://github.com/prasathmani/tinyfilemanager. A proof-of-concept demonstrating the exploit is provided at https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md.

Details

CWE(s): CWE-384

Affected Products

prasathmani

tiny file manager

≤ 2.4.7

References

https://github.com/prasathmani/tinyfilemanager
Product · cve@mitre.org
https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md
Exploit, Third Party Advisory · cve@mitre.org