The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
References
Link | Resource |
---|---|
https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities/ | Exploit Third Party Advisory |
https://github.com/Studio-42/elFinder | Third Party Advisory |
https://github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1 | Patch Third Party Advisory |
https://github.com/Studio-42/elFinder/issues/3295 | Exploit Issue Tracking Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: snyk
Published: 2021-06-13T00:00:00
Updated: 2022-08-02T15:16:55
Reserved: 2021-01-08T00:00:00
Link: CVE-2021-23394
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-06-13T11:15:14.290
Modified: 2022-11-09T03:32:27.307
Link: CVE-2021-23394
JSON object: View
Redhat Information
No data.
CWE