CVE-2021-23394

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-23394

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23394.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-23394

Aliases

GHSA-qm58-cvvm-c5qr

Related

SNYK-PHP-STUDIO42ELFINDER-1290554

Published

2021-06-13T11:15:14.290Z

Modified

2026-03-18T11:43:18.838406Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.

References

Affected packages

Git / github.com/studio-42/elfinder

Affected ranges

Type

GIT

Repo

https://github.com/studio-42/elfinder

Events

Introduced

Fixed

3802892cf32e999f08143107c5686e84ce837164

Fixed

75ea92decc16a5daf7f618f85dc621d1b534b5e1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.58"
        }
    ]
}

Affected versions

1.*

1.0.1

1.1

2.*

2.0-beta

2.0-rc1

2.1.0

2.1.1

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.1.2

2.1.20

2.1.21

2.1.22

2.1.23

2.1.24

2.1.25

2.1.26

2.1.27

2.1.28

2.1.29

2.1.3

2.1.30

2.1.31

2.1.32

2.1.33

2.1.34

2.1.35

2.1.36

2.1.37

2.1.38

2.1.39

2.1.4

2.1.40

2.1.41

2.1.42

2.1.43

2.1.44

2.1.45

2.1.46

2.1.47

2.1.48

2.1.49

2.1.5

2.1.50

2.1.51

2.1.52

2.1.53

2.1.54

2.1.55

2.1.56

2.1.57

2.1.6

2.1.7

2.1.8

2.1.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23394.json"