CVE-2021-23394
- Source
- https://cve.org/CVERecord?id=CVE-2021-23394
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23394.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-23394
- Aliases
-
- GHSA-qm58-cvvm-c5qr
- SNYK-PHP-STUDIO42ELFINDER-1290554
- Published
- 2021-06-13T11:15:14.290Z
- Modified
- 2026-05-30T17:17:44.422931Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
- References
-
- https://github.com/Studio-42/elFinder
- https://snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554
- https://github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1
- https://github.com/Studio-42/elFinder/issues/3295
- https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities/
Affected packages
Git / github.com/studio-42/elfinder
Affected ranges
- Type
- GIT
- Repo
- https://github.com/studio-42/elfinder
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
- Database specific
{ "cpe": "cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*", "extracted_events": [ { "introduced": "0" }, { "fixed": "2.1.58" } ], "source": [ "CPE_RANGE", "REFERENCES" ] }
Affected versions
1.*
1.0.1
2.*
2.0-beta
2.1.0
2.1.1
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17
2.1.18
2.1.19
2.1.2
2.1.20
2.1.21
2.1.22
2.1.23
2.1.24
2.1.25
2.1.26
2.1.27
2.1.28
2.1.29
2.1.3
2.1.30
2.1.31
2.1.32
2.1.33
2.1.34
2.1.35
2.1.36
2.1.37
2.1.38
2.1.39
2.1.4
2.1.40
2.1.41
2.1.42
2.1.43
2.1.44
2.1.45
2.1.46
2.1.47
2.1.48
2.1.49
2.1.5
2.1.50
2.1.51
2.1.52
2.1.53
2.1.54
2.1.55
2.1.56
2.1.57
2.1.6
2.1.7
2.1.8
2.1.9