This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path.
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23415.json"
[ { "events": [ { "introduced": "0" }, { "fixed": "1.1.1" } ] }, { "events": [ { "introduced": "elFinder.AspNet" }, { "fixed": "1.1.1" } ] } ]