cbcvebase.
CVE-2021-32682
published 2021-06-14

CVE-2021-32682: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
69.93%
99.3th percentile
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

Affected

3 ranges
VendorProductVersion rangeFixed in
std42elfinder< 2.1.592.1.59
studio-42elfinder>= 0 < 2.1.592.1.59
wpjoslibrary_file_manager< 5.2.35.2.3

Detection & IOCsextracted from sources · hover to see the quote

path/admin/elfinder/elfinder-cke.html
path/assets/backend/elfinder/elfinder-cke.html
path/assets/elFinder-2.1.9/elfinder.html
path/assets/elFinder/elfinder.html
path/backend/elfinder/elfinder-cke.html
path/elfinder/elfinder-cke.html
path/uploads/assets/backend/elfinder/elfinder-cke.html
path/uploads/assets/backend/elfinder/elfinder.html
path/uploads/elfinder/elfinder-cke.html
command-TmTT
  • Detect unauthenticated exposure of elFinder connector pages by matching both the string 'elfinder' and 'php/connector' in HTTP 200 responses to known elFinder HTML paths.
  • The archive command injection exploit targets the `name` parameter of the zip archive creation functionality; monitor for `-TmTT` appearing in HTTP request parameters to the elFinder connector.
  • The vulnerability is exploitable even with minimal configuration; prioritize detection on any publicly reachable elFinder PHP connector endpoint without authentication.
  • The Metasploit module targets elFinder versions below 2.1.59 via the archive functionality; version fingerprinting on elFinder HTML pages can identify vulnerable instances.
  • ·The `escapeshellarg()` sanitization applied to the `name` parameter is insufficient; it does not block the `-TmTT` zip argument, meaning standard PHP shell-escaping alone cannot be relied upon as a security control for this parameter.
  • ·Exploitation is possible even with minimal elFinder configuration, so any deployment — including default or lightly configured installs — should be considered at risk if the connector is unauthenticated.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.