PT-2021-15516 · Unknown · Elfinder.Netcore

Timo Müller

Published

2021-09-01

Updated

2021-09-09

CVE-2021-23428

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions elFinder.NetCore (affected versions not specified)

Description The issue arises from the use of the Path.Combine(...) method to create an absolute file path without proper sanitation of user input and a check on the generated path. This allows for a path traversal attack, enabling an attacker to escape the Files directory.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-22

Related Identifiers

CVE-2021-23428

GHSA-9RJP-R58J-FXGQ

SNYK-DOTNET-ELFINDERNETCORE-1313838

Affected Products

Elfinder.Netcore

PT-2021-15516 · Unknown · Elfinder.Netcore

CVE-2021-23428

Weakness Enumeration

Related Identifiers

Affected Products

References · 7