eLfinder vulnerable to RCE due to lack of file extension restriction
CVE-2023-52044

9.8CRITICAL

Key Information:

Vendor: Studio-42
Status: Elfinder
Vendor: CVE Published:; 31 October 2024

What is CVE-2023-52044?

The Studio-42 eLfinder version 2.1.62 is exposed to a significant security risk due to its inability to validate file uploads, specifically allowing files with the .php8 extension. This flaw permits attackers to upload malicious scripts, thereby executing arbitrary code on the affected system. Organizations using this version of eLfinder should address this vulnerability urgently to mitigate the risk of unauthorized access and data breaches.

References

https://github.com/Studio-42/elFinder/issues/3615

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2024
Vulnerability Reserved
Dec 26, 2023

CVE-2023-52044 Data

JSON