logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-23428 elfinder.netcore

Package

Manager: nuget
Name: elfinder.netcore
Vulnerable Version: >=0 <=1.3.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00754 pctl0.72313

Details

Path traversal in elFinder.NetCore This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal

Metadata

Created: 2021-09-02T22:05:26Z
Modified: 2021-09-02T18:03:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9rjp-r58j-fxgq/GHSA-9rjp-r58j-fxgq.json
CWE IDs: ["CWE-20", "CWE-22"]
Alternative ID: GHSA-9rjp-r58j-fxgq
Finding: F063
Auto approve: 1