CVE-2021-46398
FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
7Exploited in Wild
-Decision
Descriptions
A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.
Existe una vulnerabilidad de falsificación de solicitud en sitios cruzados en Filebrowser versiones anteriores 2.18.0 que permite a los atacantes crear un usuario de puerta trasera con privilegios de administrador y obtener acceso al sistema de archivos a través de una página web HTML maliciosa que se envía a la víctima. Un administrador puede ejecutar comandos utilizando el FileBrowser y por lo tanto conduce a RCE
FileBrowser versions 2.17.2 and below suffer from a cross site request forgery vulnerability that can lead to remote code execution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-18 CVE Reserved
- 2022-02-04 CVE Published
- 2022-02-08 First Exploit
- 2024-08-04 CVE Updated
- 2024-09-10 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (8)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f118093153e8d | 2022-03-04 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Filebrowser Search vendor "Filebrowser" | Filebrowser Search vendor "Filebrowser" for product "Filebrowser" | < 2.18.0 Search vendor "Filebrowser" for product "Filebrowser" and version " < 2.18.0" | - |
Affected
| ||||||