CVE-2022-26960

connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
Configurations

Configuration 1 (hide)

cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*

History

30 Jun 2022, 19:47

Type Values Removed Values Added
References (MISC) https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html - (MISC) https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html - Exploit, Technical Description, Third Party Advisory
CVSS v2 : 6.4
v3 : 9.1
v2 : 5.8
v3 : 9.1

30 Mar 2022, 23:15

Type Values Removed Values Added
References
  • (MISC) https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html -

28 Mar 2022, 17:26

Type Values Removed Values Added
First Time Std42 elfinder
Std42
CPE cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*
CWE CWE-22
CVSS v2 : unknown
v3 : unknown
v2 : 6.4
v3 : 9.1
References (MISC) https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db - (MISC) https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db - Patch, Third Party Advisory
References (MISC) https://www.synacktiv.com/publications.html - (MISC) https://www.synacktiv.com/publications.html - Product

21 Mar 2022, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-03-21 17:15

Updated : 2023-12-10 14:22


NVD link : CVE-2022-26960

Mitre link : CVE-2022-26960

CVE.ORG link : CVE-2022-26960


JSON object : View

Products Affected

std42

  • elfinder
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')