CVE-2021-32682
published 2021-06-14CVE-2021-32682: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
69.93%
99.3th percentile
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| std42 | elfinder | < 2.1.59 | 2.1.59 |
| studio-42 | elfinder | >= 0 < 2.1.59 | 2.1.59 |
| wpjos | library_file_manager | < 5.2.3 | 5.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
path/admin/elfinder/elfinder-cke.html
path/assets/backend/elfinder/elfinder-cke.html
path/assets/elFinder-2.1.9/elfinder.html
path/assets/elFinder/elfinder.html
path/backend/elfinder/elfinder-cke.html
path/elfinder/elfinder-cke.html
path/uploads/assets/backend/elfinder/elfinder-cke.html
path/uploads/assets/backend/elfinder/elfinder.html
path/uploads/elfinder/elfinder-cke.html
- →Detect unauthenticated exposure of elFinder connector pages by matching both the string 'elfinder' and 'php/connector' in HTTP 200 responses to known elFinder HTML paths.
- →The archive command injection exploit targets the `name` parameter of the zip archive creation functionality; monitor for `-TmTT` appearing in HTTP request parameters to the elFinder connector. ↗
- →The vulnerability is exploitable even with minimal configuration; prioritize detection on any publicly reachable elFinder PHP connector endpoint without authentication. ↗
- →The Metasploit module targets elFinder versions below 2.1.59 via the archive functionality; version fingerprinting on elFinder HTML pages can identify vulnerable instances. ↗
- ·The `escapeshellarg()` sanitization applied to the `name` parameter is insufficient; it does not block the `-TmTT` zip argument, meaning standard PHP shell-escaping alone cannot be relied upon as a security control for this parameter. ↗
- ·Exploitation is possible even with minimal elFinder configuration, so any deployment — including default or lightly configured installs — should be considered at risk if the connector is unauthenticated. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6pvh-hm7g-3cc8: The Library File Manager WordPress plugin before 5
ghsa_unreviewed·2022-04-05·CVSS 9.8
CVE-2022-0403 [CRITICAL] CWE-434 GHSA-6pvh-hm7g-3cc8: The Library File Manager WordPress plugin before 5
The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.
GHSA
elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE
ghsa·2021-06-16
CVE-2021-32682 [CRITICAL] CWE-22 elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE
elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE
### Impact
We recently fixed several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with the minimal configuration.
### Patches
The issues were addressed in our last release, 2.1.59.
### Workarounds
If you can't update to 2.1.59, make sure your connector is not exposed without authentication.
### Reference
Further technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.
### For more information
If you have any questions or comments about this advisory, you can contact:
- The original reporters, by sending an email to vulnerability.research@
OSV
elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE
osv·2021-06-16
CVE-2021-32682 [CRITICAL] elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE
elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE
### Impact
We recently fixed several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with the minimal configuration.
### Patches
The issues were addressed in our last release, 2.1.59.
### Workarounds
If you can't update to 2.1.59, make sure your connector is not exposed without authentication.
### Reference
Further technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.
### For more information
If you have any questions or comments about this advisory, you can contact:
- The original reporters, by sending an email to vulnerability.research@
No detection rules found.
Nuclei
elFinder 2.1.58 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-32682 [CRITICAL] elFinder 2.1.58 - Remote Code Execution
elFinder 2.1.58 - Remote Code Execution
elFinder 2.1.58 is impacted by multiple remote code execution vulnerabilities that could allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration.
Template:
id: CVE-2021-32682
info:
name: elFinder 2.1.58 - Remote Code Execution
author: smaranchand
severity: critical
description: elFinder 2.1.58 is impacted by multiple remote code execution vulnerabilities that could allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: Update to elFinder 2.1
Metasploit
elFinder Archive Command Injection
metasploit
elFinder Archive Command Injection
elFinder Archive Command Injection
elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via its archive functionality. When creating a new zip archive, the `name` parameter is sanitized with the `escapeshellarg()` php function and then passed to the `zip` utility. Despite the sanitization, supplying the `-TmTT` argument as part of the `name` parameter is still permitted and enables the execution of arbitrary commands as the `www-data` user.
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
arxiv_fulltext·2025-05-29
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
Xiangmin Shen
Northwestern University
Evanston
Illinois
USA
[email protected]
Both authors contributed equally to this work.
Lingzhi Wang
Northwestern University
Evanston
Illinois
USA
[email protected]
[1]
Zhenyuan Li
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Yan Chen
Northwestern University
Evanston
Illinois
USA
[email protected]
Wencheng Zhao
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Dawei Sun
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Jiashui Wang
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Wei Ruan
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Shen et al.
## Abstract
http://packetstormsecurity.com/files/164173/elFinder-Archive-Command-Injection.htmlhttps://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities/https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92prhttp://packetstormsecurity.com/files/164173/elFinder-Archive-Command-Injection.htmlhttps://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities/https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr
2021-06-14
Published