Std42: >> Elfinder Security Vulnerabilities
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.
CVSS Score
8.9
EPSS Score
0.016
Published
2026-04-23
Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension.
CVSS Score
9.8
EPSS Score
0.008
Published
2024-10-31
Studio-42 eLfinder 2.1.62 contains a filename restriction bypass leading to a persistent Cross-site Scripting (XSS) vulnerability.
CVSS Score
6.1
EPSS Score
0.003
Published
2024-10-31
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.
CVSS Score
9.8
EPSS Score
0.005
Published
2024-07-30
_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.
CVSS Score
6.5
EPSS Score
0.016
Published
2023-06-19
In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.
CVSS Score
9.8
EPSS Score
0.289
Published
2022-04-11
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
CVSS Score
9.8
EPSS Score
0.423
Published
2022-04-07
connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
CVSS Score
9.1
EPSS Score
0.51
Published
2022-03-21
Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.
CVSS Score
5.4
EPSS Score
0.006
Published
2022-02-08
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
CVSS Score
9.8
EPSS Score
0.699
Published
2021-06-14
Page 1