Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-32682

Date: June 14, 2021

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

Language: PHP

Severity Score

Related Resources (9)

https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities
https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17
https://github.com/Studio-42/elFinder/security/advisories/GHSA-qm58-cvvm-c5qr
https://github.com/Studio-42/elFinder
https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr
https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities/
https://nvd.nist.gov/vuln/detail/CVE-2021-32682
http://packetstormsecurity.com/files/164173/elFinder-Archive-Command-Injection.html
https://www.mend.io/vulnerability-database/CVE-2021-32682

Severity Score

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Server-Side Request Forgery (SSRF)

CWE-918

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us