CVE-2022-26960

CRITICAL9.1EPSS 84.2%

Path Traversal in Studio-42 elFinder through 2.1.60

Published: 3/22/2022Modified: 2/16/2024

Description

`connector.minimal.php` in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.

Affected packages (1)

Packagist/studio-42/elfinderfrom 0, < 2.1.61

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-26960
WEBhttps://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
WEBhttps://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html