High severityNVD Advisory· Published Jun 19, 2023· Updated Dec 11, 2024

CVE-2023-35840

Description

_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal in elFinder's PHP LocalVolumeDriver connector allows untrusted users to write arbitrary files to the local file system.

Vulnerability

Overview The _joinPath method in elFinderVolumeLocalFileSystem.class.php before version 2.1.62 fails to properly sanitize path components, enabling a directory traversal attack. The incomplete validity checking of request parameters allows an attacker to construct paths that escape the root directory [2].

Exploitation

Conditions The vulnerability exists in the PHP LocalVolumeDriver connector. An attacker must have the ability to write to the file system (e.g., through upload or file creation operations). No authentication is required if the connector is exposed publicly, making it especially dangerous on public servers [1]. The attacker can supply a crafted name or dir parameter containing .. sequences to traverse directories [3].

Impact

Successful exploitation allows an untrusted user to write files to arbitrary locations on the local file system, potentially leading to remote code execution (e.g., overwriting PHP files or placing a web shell). The advisory warns that older versions on public servers may cause "serious damage to your server and visited user" [1][2].

Mitigation

Status The vulnerability is fixed in elFinder 2.1.62 [2]. The commit adds checks for .. separators in both $dir and $name parameters, resetting $dir to the root if traversal is detected [3]. Administrators are urged to update immediately; if updating is not possible, they must prohibit write access for untrusted users or remove elFinder from the server entirely [2].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
studio-42/elfinderPackagist	< 2.1.62	2.1.62

Affected products

elFinder/elFinderdescription
ghsa-coords
pkg:composer/studio-42/elfinder
Range: < 2.1.62

Patches

bb9aaa7b096a

[VD:LocalFileSystem] Security fixes, directory traversal vulnerability

https://github.com/Studio-42/elFindernao-ponJun 1, 2023via ghsa

commit

1 file changed · +4 −0

php/elFinderVolumeLocalFileSystem.class.php+4 −0 modified

@@ -373,9 +373,13 @@ protected function _joinPath($dir, $name)
         // realpath() returns FALSE if the file does not exist
         if ($path === false || strpos($path, $this->root) !== 0) {
             if (DIRECTORY_SEPARATOR !== '/') {
+                $dir = str_replace('/', DIRECTORY_SEPARATOR, $dir);
                 $name = str_replace('/', DIRECTORY_SEPARATOR, $name);
             }
             // Directory traversal measures
+            if (strpos($dir, '..' . DIRECTORY_SEPARATOR) !== false || substr($dir, -2) == '..') {
+                $dir = $this->root;
+            }
             if (strpos($name, '..' . DIRECTORY_SEPARATOR) !== false) {
                 $name = basename($name);
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.005
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000