cbcvebase.
CVE-2021-23394
published 2021-06-13

CVE-2021-23394: The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
19.08%
97.0th percentile
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.

Affected

3 ranges
VendorProductVersion rangeFixed in
std42elfinder< 2.1.582.1.58
studio-42elfinder>= 0 < 2.1.582.1.58
studio-42elfinder>= unspecified < 2.1.582.1.58

Detection & IOCsextracted from sources · hover to see the quote

path/elFinder/files/{{filename}}.phar
  • Detect elFinder RCE probe by checking for JSON response containing all three fields: 'isowner', 'phash', and 'changed' with content-type application/json and HTTP 200
  • Exploitation involves uploading and executing a .phar file under the elFinder files directory; monitor for GET requests to .phar files under /elFinder/files/
  • Successful RCE is confirmed when the HTTP response body contains the MD5 hash of the attacker-controlled payload string, indicating PHP code execution via .phar file
  • The vulnerability only applies when the server is configured to parse .phar files as PHP; audit server configuration for .phar PHP handler associations
  • ·CVE-2021-23394 RCE via .phar file execution is only exploitable if the web server is configured to parse .phar files as PHP; not universally applicable to all elFinder deployments
  • ·Affected versions are studio-42/elfinder before 2.1.58; deployments on 2.1.58 or later are not vulnerable

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.