Lucene search
GoogleOSV:GHSA-9RJP-R58J-FXGQHistorySep 02, 2021 - 10:05 p.m.
Path traversal in elFinder.NetCore
2021-09-0222:05:26
Google
osv.dev
13
path traversal
elfinder.netcore
absolute file paths
input sanitation
files directory
EPSS
0.003
Percentile
69.3%
This affects all versions of package elFinder.NetCore. The Path.Combine(…) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal
References
github.com/gordon-matt/elFinder.NetCore
github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs#L387
github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L387
nvd.nist.gov/vuln/detail/CVE-2021-23428
snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1313838
Related
nvd
nvd
CVE-2021-23428
2021-09-01 15:15:08
veracode
veracode
Path Traversal
2021-09-06 06:35:37
cvelist
cvelist
CVE-2021-23428 Directory Traversal
2021-09-01 14:30:12
prion
prion
Path traversal
2021-09-01 15:15:00
github
github
Path traversal in elFinder.NetCore
2021-09-02 22:05:26
cve
cve
CVE-2021-23428
2021-09-01 15:15:08