8.8
CVE-2021-46398
- EPSS 6.66%
- Veröffentlicht 04.02.2022 16:15:07
- Zuletzt bearbeitet 21.11.2024 06:34:02
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginA Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Filebrowser ≫ Filebrowser Version < 2.18.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 6.66% | 0.93 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
http://packetstormsecurity.com/files/165885/FileBrowser-2.17.2-Code-Execution-Cross-Site-Request-Forgery.html
https://febin0x4e4a.blogspot.com/2022/01/critical-csrf-in-filebrowser.html
https://febin0x4e4a.wordpress.com/2022/01/19/critical-csrf-in-filebrowser/
https://febinj.medium.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7
https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f118093153e8d
https://systemweakness.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7