CVE-2021-46398

moderate-risk
Published 2022-02-04

A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.

Do I need to act?

!
10.3% chance of exploitation in next 30 days
EPSS score — higher than 90% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
50717
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Filebrowser

References (12)

Exploit http://packetstormsecurity.com/files/165885/FileBrowser-2.17.2-Code-Execution-Cr...
Exploit https://febin0x4e4a.blogspot.com/2022/01/critical-csrf-in-filebrowser.html
Exploit https://febin0x4e4a.wordpress.com/2022/01/19/critical-csrf-in-filebrowser/
Exploit https://febinj.medium.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7
Patch https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f11...
Exploit https://systemweakness.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7
Exploit http://packetstormsecurity.com/files/165885/FileBrowser-2.17.2-Code-Execution-Cr...
Exploit https://febin0x4e4a.blogspot.com/2022/01/critical-csrf-in-filebrowser.html
Exploit https://febin0x4e4a.wordpress.com/2022/01/19/critical-csrf-in-filebrowser/
Exploit https://febinj.medium.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7
Patch https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f11...
Exploit https://systemweakness.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7
46
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 11/34 · Low
Exposure 5/34 · Minimal