CVE-2022-26960: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

March 21, 2022 (updated June 30, 2022)

connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.

References

github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
nvd.nist.gov/vuln/detail/CVE-2022-26960
www.synacktiv.com/publications.html

Code Behaviors & Features

Detect and mitigate CVE-2022-26960 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →