CVE-2022-26960

CRITICAL9.1EPSS 84.2%

Path Traversal in Studio-42 elFinder through 2.1.60

發布日:2022/3/22修改日:2024/2/16

描述

`connector.minimal.php` in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.

受影響套件(1)

Packagist/studio-42/elfinderfrom 0, < 2.1.61

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-26960
WEBhttps://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
WEBhttps://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html