CVE-2021-23427

HIGH

elFinder.NetCore - Path Traversal and Arbitrary File Write via ExtractAsync Function

Title source: llm

Description

This affects all versions of package elFinder.NetCore. The ExtractAsync function within the FileSystem is vulnerable to arbitrary extraction due to insufficient validation.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1567778

Broken Link x_refsource_misc

https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L226

Scores

CVSS v3 8.6

EPSS 0.0063

EPSS Percentile 70.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Details

CWE

CWE-22

Status published

Products (2)

elfinder.netcore_project/elfinder.netcore

nuget/elFinder.NetCore 0NuGet

Published Sep 01, 2021

Tracked Since Feb 18, 2026