CVE-2022-26960 – studio-42/elfinder

Package

Manager: composer
Name: studio-42/elfinder
Vulnerable Version: >=0 <2.1.61

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.86387 pctl0.99369

Details

Path Traversal in Studio-42 elFinder through 2.1.60 `connector.minimal.php` in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.

Metadata

Created: 2022-03-22T00:00:41Z
Modified: 2023-07-07T19:15:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-7q88-jxvp-9gp2/GHSA-7q88-jxvp-9gp2.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-7q88-jxvp-9gp2
Finding: F063
Auto approve: 1