NuytsTech Security

CVE-2021-23428

by ·

This affects all versions of package elFinder.NetCore. The Path.Combine(…) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal

Date published : 2021-09-01

https://github.com/gordon-matt/elFinder.NetCore

https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L387

Tags: