CVE-2022-40916
Published: 06 February 2025
Summary
CVE-2022-40916 is a critical-severity Session Fixation (CWE-384) vulnerability in Prasathmani Tiny File Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-40916 is a session fixation vulnerability affecting Tiny File Manager versions 2.4.7 and below. This issue, linked to CWE-384, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact across confidentiality, integrity, and availability.
The vulnerability enables remote attackers to exploit it over the network with low attack complexity, requiring no authentication privileges or user interaction. By fixing a session identifier, an attacker can hijack authenticated sessions, achieving high-impact unauthorized access, data manipulation, and disruption of the file manager's operations.
Mitigation details and patches are available in the Tiny File Manager GitHub repository at https://github.com/prasathmani/tinyfilemanager. A proof-of-concept demonstrating the exploit is provided at https://github.com/whitej3rry/CVE-2022-40916/blob/main/PoC.md.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44168
Vulnerability details
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Session fixation in public-facing web app directly enables remote exploitation (T1190) and use of hijacked web session material for unauthorized access (T1550.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the session fixation vulnerability by identifying, patching, and verifying the fix as provided in the Tiny File Manager repository.
Mandates mechanisms to protect the authenticity of remote communications sessions, directly countering session fixation by ensuring session identifiers cannot be improperly reused.
Automatically terminates user sessions after defined inactivity periods or events, reducing the time window for attackers to exploit fixed session identifiers.