CVE-2019-6257 — elFinder Server Side Request Forgery (SSRF)

Description

A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.49 could allow a malicious user to access the content of internal network resources. This occurs in `get_remote_contents()` in `php/elFinder.class.php`.

How to fix CVE-2019-6257

To remediate CVE-2019-6257, upgrade the affected package to a fixed version below.

Packagist/studio-42/elfinder—upgrade to 2.1.49 or later

Is CVE-2019-6257 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.1.49

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-6257
PATCHgithub.com/Studio-42/elFinder
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/studio-42/elfinder/CVE-2019-6257.yaml
WEBgithub.com/Studio-42/elFinder/blob/2.1.49/Changelog