Imporoper path validation in elFinder.NetCore

GHSA-wmpm-fq7r-jq56 · CVE-2021-23427

Published Sep 2, 2021 · Modified Mar 13, 2026

Description

This affects all versions of package elFinder.NetCore. The ExtractAsync function within the FileSystem is vulnerable to arbitrary extraction due to insufficient validation.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-23427
PACKAGE https://github.com/gordon-matt/elFinder.NetCore
WEB https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs#L226
WEB https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L226
WEB https://snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1567778

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes