4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.7%
The elfinder module provides an AJAX-based file manager based on the elFinder javascript library.
The module doesn’t sufficiently verify requests thereby exposing a Cross Site Request Forgery (CSRF) vulnerability. This would enable an attacker to create, modify, or delete files on the server.
There are no mitigating factors.
Drupal core is not affected. If you do not use the contributed elFinder file manager module, there is nothing you need to do.
Install the latest version:
Also see the elFinder file manager project page.
drupal.org/contact
drupal.org/node/1972082
drupal.org/node/1972084
drupal.org/project/elfinder
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/329570
drupal.org/user/36762
drupal.org/user/426416
drupal.org/user/771642
drupal.org/writing-secure-code
sourceforge.net/projects/elfinder/files/