Headline
CVE-2021-23394: Snyk Vulnerability Database | Snyk
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications
- Snyk ID SNYK-PHP-STUDIO42ELFINDER-1290554
- published 13 Jun 2021
- disclosed 9 May 2021
- credit Ashok Chand
How to fix?
Upgrade studio-42/elfinder to version 2.1.58 or higher.
Overview
studio-42/elfinder is an open-source file manager for web, written in JavaScript using jQuery UI.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server is configured to parse .phar files as PHP.