elFinder <= 2.1.47 - Command Injection

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector. The vulnerability occurs when performing image operations on JPEG files, where the filename is passed to the exiftran utility without proper sanitization, allowing command injection. id: CVE-2019-9194 info: name:...

Exploit for OS Command Injection in Std42 Elfinder

CVE-2019-9194 — elFinder Command Injection PoC Command in...

EUVD-2023-1903

Malicious code in bioql PyPI...

Remote Code Execution

studio-42/elfinder is vulnerable to remote code execution. An attacker is able to execute arbitrary code and commands on the server hosting the elFinder PHP connector even with the minimal configuration...

elFinder code issue vulnerability

elFinder is a set of open source AJAX file managers based on the Drupal platform. The product provides multiple file uploads, image scaling, and other features. elFinder has a security vulnerability that could be exploited by attackers to execute arbitrary code and commands on the server hosting...

GHSA-QM58-CVVM-C5QR elFinder unsafe upload filtering leading to remote code execution

Impact Before elFinder 2.1.58, the upload filter did not disallow the upload of .phar files. As several Linux distributions are now shipping Apache configured in a way it will process these files as PHP scripts, attackers could gain arbitrary code execution on the server hosting the PHP connector...

elFinder < 2.1.59 Multiple Vulnerabilities (GHSA-wph3-44rj-92pr)

elFinder is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:std42:elfinder"; ifdescription...

CVE-2021-32682

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal...

Authentication flaw

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal...

elFinder PHP Connector < 2.1.48 - exiftran Command Injection Exploit

This Metasploit module exploits a command injection vulnerability in elFinder versions prior to 2.1.48. The PHP connector component allows unauthenticated users to upload files and perform file modification operations, such as resizing and rotation of an image. The file name of uploaded files is...

elFinder PHP Connector exiftran Command Injection

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'elFinder PHP Connector exiftran Command Injection', 'Description' = %q This module exploits a command injection vulnerability in elFinder version...

elFinder PHP Connector exiftran Command Injection

This module exploits a command injection vulnerability in elFinder versions prior to 2.1.48. The PHP connector component allows unauthenticated users to upload files and perform file modification operations, such as resizing and rotation of an image. The file name of uploaded files is not...

OS Command Injection

studio-42/elfinder is vulnerable to OS command injection. Improper processing of the image upload function in the PHP connector allows a remote attacker to inject and execute arbitrary OS commands on the host system...

elFinder 2.1.47 Command Injection

!/usr/bin/python ''' Exploit Title: elFinder SecSignal.php;echo SecSignal.jpg' def usage: if lensys.argv != 2: print "Usage: python exploit.py URL" sys.exit0 def uploadurl, payload: files = 'upload': payload, open'SecSignal.jpg', 'rb' data = "reqid" : "1693222c439f4", "cmd" : "upload", "target" :...

elFinder 2.1.47 - &#039;PHP connector&#039; Command Injection

!/usr/bin/python ''' Exploit Title: elFinder SecSignal.php;echo SecSignal.jpg' def usage: if lensys.argv != 2: print "Usage: python exploit.py URL" sys.exit0 def uploadurl, payload: files = 'upload': payload, open'SecSignal.jpg', 'rb' data = "reqid" : "1693222c439f4", "cmd" : "upload", "target" :...

elFinder < 2.1.48 Command Injection Vulnerability

elFinder is prone to a command injection vulnerability. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:std42:elfinder";...

CVE-2019-9194

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector...

Command injection

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector...

CVE-2019-9194

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector...

CVE-2019-9194

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector...