CVE-2022-26960

Опубликовано: 21 мар. 2022

Источник: nvd

CVSS3: 9.1

CVSS2: 5.8

EPSS Высокий

Описание

connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.

Ссылки

https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
Patch
Third Party Advisory
https://www.synacktiv.com/publications.html
Product
https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
Exploit
Technical Description
Third Party Advisory
https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
Patch
Third Party Advisory
https://www.synacktiv.com/publications.html
Product
https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
Exploit
Technical Description
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*

Версия до 2.1.61 (исключая)

EPSS

Процентиль: 99%

0.79151

Высокий

9.1 Critical

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-7q88-jxvp-9gp2