Attacker Value
(1 user assessed)
(1 user assessed)
User Interaction
Privileges Required
Attack Vector


Disclosure Date: June 14, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.


elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

Add Assessment

Technical Analysis

This CVE represents multiple vulnerabilities found in elFinder which you can read more about here. My assessment will mostly focus on the argument injection vulnerability, as that one is personally the easiest to exploit / gives the best reward out of all of them from an attacker’s perspective (a shell!).

The argument injection vulnerability occurs in the makeArchive() function:

php/elFinderVolumeDriver.class.php from elFinder v2.1.57

6841     protected function makeArchive($dir, $files, $name, $arc)
6842     {
6843         if ($arc['cmd'] === 'phpfunction') {
6844             if (is_callable($arc['argc'])) {
6845                 call_user_func_array($arc['argc'], array($dir, $files, $name));
6846             }
6847         } else {
6848             $cwd = getcwd();
6849             if (chdir($dir)) {
6850                 foreach ($files as $i => $file) {
6851                     $files[$i] = '.' . DIRECTORY_SEPARATOR . basename($file);
6852                 }
6853                 $files = array_map('escapeshellarg', $files);
6855                 $cmd = $arc['cmd'] . ' ' . $arc['argc'] . ' ' . escapeshellarg($name) . ' ' . implode(' ', $files);
6856                 $this->procExec($cmd, $o, $c);
6857                 chdir($cwd);
6858             } else {
6859                 return false;
6860             }
6861         }
6862         $path = $dir . DIRECTORY_SEPARATOR . $name;
6863         return file_exists($path) ? $path : false;
6864     }

On line 6855, the archive command is created with the previously-sanitized file name(s) and the user-controlled name variable being passed to escapeshellarg(). escapeshellarg() escapes single quotes and places singles quotes around the string supplied as the argument. Additionally, I found that the name variable is further sanitized via another method. Certain characters like spaces, slashes, +’s, etc. are either removed or replaced with other characters, adding some minor complexity to the exploit. Despite these limitations, when using zip as the archive method, supplying the -TmTT option through the name parameter / variable allows execution of arbitrary commands.

This vulnerability’s impact can vary since elFinder can be used as a standalone web-based file manager and as an underlying file manager for other software. Standalone, elFinder does not require authentication, so exploitation would be quite straightforward. I don’t expect there to be many of these installations on the open internet, so while easy to exploit, this would likely require being on an internal network first.

In cases where elFinder is integrated with other software, this may add to the complexity by requiring auth / admin privileges. For instance, according to the Portswigger article elFinder is used as part of the Wordpress File Manager, but requires access to an admin account to exploit. This is likely the similar case for other software that integrates with elFinder, such as CKEditor, TinyMCE, etc.

While it’s hard to determine just how widespread this vulnerability is, I think most vulnerable elFinder installations are probably behind auth via third-party apps. Whether that’s truly the case or not, a patch for this should be prioritized.

Edit: I selected both unauthenticated and authenticated since this vulnerability can technically be both.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
Exploitability Score:
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C):
Integrity (I):
Availability (A):

General Information


  • std42


  • elfinder
Technical Analysis