CVE-2021-46398

HIGH LAB

Filebrowser <2.18.0 - CSRF

Title source: llm

Description

A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.

Exploits (3)

exploitdb WORKING POC

by FEBIN MON SAJI · textwebappsmultiple

https://www.exploit-db.com/exploits/50717

View Code ZIP pw:eip

nomisec WRITEUP

by LalieA · poc

https://github.com/LalieA/CVE-2021-46398

View Code ZIP pw:eip

inthewild WRITEUP

poc

https://github.com/febinrev/cve-2021-46398_chamilo-lms-rce

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/165885/FileBrowser-2.17.2-Code-Execution-Cross-Site-Request-Forgery.html

[Exploit, Third Party Advisory] https://febin0x4e4a.blogspot.com/2022/01/critical-csrf-in-filebrowser.html

[Exploit, Third Party Advisory] https://febin0x4e4a.wordpress.com/2022/01/19/critical-csrf-in-filebrowser/

[Exploit, Third Party Advisory] https://febinj.medium.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7

[Patch, Third Party Advisory] https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f118093153e8d

[Exploit, Third Party Advisory] https://systemweakness.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7

Scores

CVSS v3 8.8

EPSS 0.1035

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull filebrowser/filebrowser:v2.17.2

https://github.com/LalieA/CVE-2021-46398

https://github.com/febinrev/cve-2021-46398_chamilo-lms-rce

View in Library

Details

CWE

CWE-352

Status published

Products (2)

filebrowser/filebrowser < 2.18.0

filebrowser/filebrowser 0 - 2.18.0Go

Published Feb 04, 2022

Tracked Since Feb 18, 2026