CVE-2023-35840

Name of the Vulnerable Software and Affected Versions elFinder versions prior to 2.1.62

Description The issue allows path traversal in the PHP LocalVolumeDriver connector due to incomplete validity checking of supplied request parameters. This can be exploited by allowing untrusted users to write to the local file system.

Recommendations For versions prior to 2.1.62, update to elFinder version 2.1.62 as soon as possible to fix the issue. If you cannot update for some reason, consider stopping the use of the vulnerable connector or prohibit writing to untrusted users.