Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-46398 — Cross-Site Request Forgery in Filebrowser Filebrowser V2

CWE-352 — Cross-Site Request Forgery6 documents5 sources

Severity

8.8HIGHNVD

EPSS

10.3%

top 6.79%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Github.com Filebrowser Filebrowser V2 Filebrowser

Timeline

PublishedFeb 4

Latest updateFeb 8

Description

A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDfilebrowser/filebrowser< 2.18.0

▶Gogithub.com/filebrowser_filebrowser_v2< 2.18.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-Site Request Forgery in Filebrowser↗2022-02-05

▶

GHSA

Cross-Site Request Forgery in Filebrowser↗2022-02-05

▶

OSV

Cross-site request forgery in github.com/filebrowser/filebrowser/v2↗2022-02-05

▶

CVEList

CVE-2021-46398: A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2↗2022-02-04

▶

💥Exploits & PoCs

Exploit-DB

FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)↗2022-02-08

▶