CVE-2023-52045
📋 TL;DR
This vulnerability allows attackers to bypass filename restrictions in Studio-42 eLfinder 2.1.62, enabling persistent cross-site scripting (XSS) attacks. Attackers can inject malicious scripts into uploaded filenames that execute when other users view or interact with those files. This affects any web application using the vulnerable eLfinder component for file management.
💻 Affected Systems
- Studio-42 eLfinder
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites through persistent XSS payloads.
Likely Case
Attackers upload files with malicious filenames containing XSS payloads, which execute when administrators or other users browse the file manager interface.
If Mitigated
With proper input validation and output encoding, the impact is limited to failed upload attempts or benign file operations.
🎯 Exploit Status
Exploitation requires file upload privileges but is straightforward once access is obtained. The GitHub issue shows proof-of-concept examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.63 or later
Vendor Advisory: https://github.com/Studio-42/elFinder/issues/3617
Restart Required: No
Instructions:
1. Update eLfinder to version 2.1.63 or later. 2. Replace the existing eLfinder files with the patched version. 3. Clear any cached JavaScript or static assets.
🔧 Temporary Workarounds
Implement server-side filename sanitization
allAdd custom validation to strip or reject filenames containing HTML/JavaScript special characters before processing.
Enable Content Security Policy (CSP)
allImplement strict CSP headers to mitigate XSS impact by restricting script execution sources.
🧯 If You Can't Patch
- Disable file upload functionality in eLfinder if not required
- Implement web application firewall (WAF) rules to block requests with suspicious filename patterns
🔍 How to Verify
Check if Vulnerable:
Check if eLfinder version is 2.1.62 or earlier by examining the component files or package manager.Check Version:
Check the elFinder.version property in JavaScript or examine the component's source files for version identifiers.Verify Fix Applied:
After updating, test file uploads with filenames containing XSS payloads (e.g., <script>alert(1)</script>.txt) to ensure they are properly sanitized or rejected.📡 Detection & Monitoring
Log Indicators:
- File upload requests with filenames containing <, >, script, javascript, or other HTML/JS patterns
- Unusual file upload activity from single users
Network Indicators:
- HTTP POST requests to file upload endpoints with suspicious filename parameters
SIEM Query:
source="web_server" AND (url_path="/elfinder/connector" OR url_path="/elfinder/upload") AND (filename="*<*" OR filename="*>" OR filename="*script*" OR filename="*javascript*")