Lucene search

[email protected]CVE-2021-32682

HistoryJun 14, 2021 - 5:15 p.m.

CVE-2021-32682

2021-06-1417:15:07

CWE-918

CWE-22

CWE-78

[email protected]

web.nvd.nist.gov

136

elfinder

file manager

web

javascript

jquery

vulnerability

code execution

patch

nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.973 High

EPSS

Percentile

99.9%

JSON

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

Affected configurations

Vulners

NVD

Node

studio-42elfinderMatch2.1.58

CPENameOperatorVersion
std42:elfinderstd42 elfinderlt2.1.59

CPE	Name	Operator	Version
std42:elfinder	std42 elfinder	lt	2.1.59

CNA Affected

[
  {
    "product": "elFinder",
    "vendor": "Studio-42",
    "versions": [
      {
        "status": "affected",
        "version": "= 2.1.58"
      }
    ]
  }
]