Elulq

**Name of the Vulnerable Software and Affected Versions** elFinder versions prior to 2.1.68 **Description** An authenticated SQL injection exists in the MySQL volume driver (`elFinderVolumeMySQL`). This issue allows any logged-in user, including those with read-only access, to inject SQL commands via a crafted file hash passed through the `target` parameter. The flaw occurs because file hashes are decoded without validating if the result is a valid MySQL object identifier before being used in queries within the `cacheDir()`, ` joinPath()`, ` stat()`, and ` fopen()` functions. This can lead to unauthorized disclosure of data accessible to the MySQL account, such as file contents and database metadata, or cause a denial of service due to excessive memory consumption from broad query results. This issue only affects installations configured to use the MySQL volume driver; those using the default `LocalFileSystem` driver are not affected. **Recommendations** Update to version 2.1.68. As a temporary mitigation, restrict access to the `elFinderVolumeMySQL` driver or avoid using the `target` parameter in the affected driver until the update is applied.