CVE-2021-32682 Information

Description

elFinder is an open-source file manager for web written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector even with minimal configuration. The issues were patched in version 2.1.59. As a workaround ensure the connector is not exposed without authentication.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17 https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr http://packetstormsecurity.com/files/164173/elFinder-Archive-Command-Injection.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8