Path traversal in elFinder.NetCore

GHSA-9rjp-r58j-fxgq · CVE-2021-23428

Published Sep 2, 2021 · Modified Mar 13, 2026

Description

This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-23428
PACKAGE https://github.com/gordon-matt/elFinder.NetCore
WEB https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs#L387
WEB https://github.com/gordon-matt/elFinder.NetCore/blob/633da9a4d7d5c9baefd1730ee51bf7af54889600/elFinder.NetCore/Drivers/FileSystem/FileSystemDriver.cs%23L387
WEB https://snyk.io/vuln/SNYK-DOTNET-ELFINDERNETCORE-1313838

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes