VYPR
← All advisories
Critical severityNVD Advisory· Published Apr 7, 2022· Updated Aug 4, 2024

CVE-2021-43421

CVE-2021-43421

Description

A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A file upload vulnerability in elFinder 2.0.4 to 2.1.59 allows remote attackers to upload arbitrary files and execute PHP code.

Vulnerability

A file upload vulnerability exists in Studio-42 elFinder versions 2.0.4 to 2.1.59 via connector.minimal.php. The bug allows a remote malicious user to upload arbitrary files, including PHP scripts, due to insufficient validation of uploaded file types. The affected versions are those prior to the 2.1.60 release [1][4].

Exploitation

An attacker needs network access to the elFinder instance. No authentication is required if the instance is publicly accessible. The attacker can upload a malicious PHP file through the file upload functionality; the connector does not adequately filter file extensions or content types, enabling the upload of executable scripts [1][3].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server. This can lead to full compromise of the web server, including data theft, defacement, or further lateral movement within the network [1].

Mitigation

Users should update elFinder to version 2.1.60 or later, which includes a fix that restricts accepted file names on Windows servers and improves overall upload validation [4]. The GitHub repository warning advises that older versions on public servers may cause serious damage and that users should update immediately [2]. No workaround is documented; updating is the recommended mitigation [2][4].

References
  1. NVD - CVE-2021-43421
  2. GitHub - Studio-42/elFinder: 📁 Open-source file manager for web, written in JavaScript using jQuery and jQuery UI
  3. RCE elFinder 2.1.59
  4. [VD:LocalFileSystem] fix #3429 RCE on Windows server · Studio-42/elFinder@c08bcbf

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
studio-42/elfinderPackagist
>= 2.0.4, < 2.1.602.1.60

Affected products

2

Patches

1
c08bcbfa722d

[VD:LocalFileSystem] fix #3429 RCE on Windows server

https://github.com/Studio-42/elFindernao-ponNov 1, 2021via ghsa
commit
1 file changed · +7 0
  • php/elFinderVolumeLocalFileSystem.class.php+7 0 modified
    @@ -81,6 +81,13 @@ public function __construct()
         $this->options['keepTimestamp'] = array('copy', 'move'); // keep timestamp at inner filesystem allowed 'copy', 'move' and 'upload'
         $this->options['substituteImg'] = true;       // support substitute image with dim command
         $this->options['statCorrector'] = null;       // callable to correct stat data `function(&$stat, $path, $statOwner, $volumeDriveInstance){}`
+        if (DIRECTORY_SEPARATOR === '/') {
+            // Linux
+            $this->options['acceptedName'] = '/^[^\.\/\x00][^\/\x00]*$/';
+        } else {
+            // Windows
+            $this->options['acceptedName'] = '/^[^\.\/\x00\\\:*?"<>|][^\/\x00\\\:*?"<>|]*$/';
+        }
     }
 
     /*********************************************************************/

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.