GHSA-9rjp-r58j-fxgq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9rjp-r58j-fxgq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9rjp-r58j-fxgq/GHSA-9rjp-r58j-fxgq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9rjp-r58j-fxgq
- Aliases
-
- CVE-2021-23428
- Published
- 2021-09-02T22:05:26Z
- Modified
- 2026-03-13T22:11:17.814091Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
- Summary
- Path traversal in elFinder.NetCore
- Details
-
This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal
- Database specific
{ "github_reviewed_at": "2021-09-02T18:03:47Z", "severity": "HIGH", "cwe_ids": [ "CWE-20", "CWE-22" ], "github_reviewed": true, "nvd_published_at": "2021-09-01T15:15:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-23428
- https://github.com/gordon-matt/elFinder.NetCore
- https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs#L387
- https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L387
- https://snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1313838
Affected packages
NuGet / elFinder.NetCore
Package
- Name
- elFinder.NetCore
- View open source insights on deps.dev
- Purl
- pkg:nuget/elFinder.NetCore
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected1.3.5