CVE-2021-23394

Name of the Vulnerable Software and Affected Versions elFinder versions prior to 2.1.58

Description The issue is related to the execution of PHP code in a .phar file, which can lead to Remote Code Execution (RCE). This only applies if the server parses .phar files as PHP. The vulnerability is associated with the unlimited upload of dangerous file types. An attacker could exploit this vulnerability to execute arbitrary code using a specially crafted .phar file.

Recommendations For versions prior to 2.1.58, update to version 2.1.58 to address the issue. If you can't update to 2.1.58, make sure your connector is not exposed without authentication. Consider setting the appropriate MIME type for file extensions that are generally runnable on a web server using the "additionalMimeMap" option in the elFinder PHP connector.