CVE-2021-23407

HIGH

elFinder.Net.Core < 1.2.4 - Path Traversal via Unsanitized File Name

Title source: llm

Description

This affects the package elFinder.Net.Core from 0 and before 1.2.4. The user-controlled file name is not properly sanitized before it is used to create a file system path.

References (3)

Core 3

Core References

Exploit, Patch, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1315152

Patch, Third Party Advisory x_refsource_misc

https://github.com/trannamtrung1st/elFinder.Net.Core/commit/5498c8a86b76ef089cfbd7ef8be014b61fa11c73

View Patch ZIP pw:eip

Third Party Advisory x_refsource_misc

https://github.com/trannamtrung1st/elFinder.Net.Core/releases/tag/all-1.2.4

Scores

CVSS v3 7.5

EPSS 0.0053

EPSS Percentile 67.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (2)

elfinder.net.core_project/elfinder.net.core < 1.2.4

nuget/elFinder.Net.Core 0 - 1.2.4NuGet

Published Jul 14, 2021

Tracked Since Feb 18, 2026