CVE-2021-45919
Description
Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Studio 42 elFinder through 2.1.31 is vulnerable to stored cross-site scripting (XSS) via a crafted SVG document, allowing arbitrary JavaScript execution.
Vulnerability
Studio 42 elFinder versions up to and including 2.1.31 are vulnerable to stored cross-site scripting (XSS) through the file upload functionality. An attacker can upload a specially crafted SVG document that, when viewed or processed by the application, executes arbitrary JavaScript in the context of the victim's session [1].
Exploitation
An attacker with the ability to upload files to an elFinder instance can exploit this vulnerability by uploading an SVG file containing embedded JavaScript. No additional authentication or user interaction beyond viewing the uploaded file is required for the XSS to trigger [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the elFinder application. This can lead to session hijacking, data theft, or further compromise of the web application depending on the privileges of the affected user [1].
Mitigation
As of the publication date (2022-02-08), no official patch or fixed version has been released for this vulnerability. Users are advised to restrict SVG file uploads or disable the upload functionality until a fix is available. The vulnerability affects all versions through 2.1.31 [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
studio-42/elfinderPackagist | <= 2.1.31 | — |
Affected products
2- Studio 42/elFinderdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c3j8-q5x6-2855ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45919ghsaADVISORY
- www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-stored-xss-to-rce-using-beef-and-elfinder-cve-2021-45919ghsaWEB
- www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-stored-xss-to-rce-using-beef-and-elfinder-cve-2021-45919/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.