Vulnerability Details CVE-2021-23428
This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 72.4%
CVSS Severity
CVSS v3 Score 8.6
CVSS v2 Score 7.5
References
- https://github.com/gordon-matt/elFinder.NetCore
- https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L387
- https://snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1313838
- https://github.com/gordon-matt/elFinder.NetCore
- https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L387
- https://snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1313838
Products affected by CVE-2021-23428
-
cpe:2.3:a:elfinder.netcore_project:elfinder.netcore:-