CVE-2023-35840: 
PHP vulnerability analysis and mitigation

_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before version 2.1.62 contains a path traversal vulnerability in the PHP LocalVolumeDriver connector. The vulnerability was discovered in June 2023 and affects all versions of elFinder prior to 2.1.62 (NVD, GitHub Advisory).

The vulnerability exists in the target parameter which contains a base64 encoded path. The issue stems from incomplete validity checking of supplied request parameters in the joinPath function. An attacker can manipulate the base64 encoded path by modifying it to include directory traversal sequences (../../). For example, a path 'pentest' is encoded as 'l1cGVudGVzdA==', which can be modified to 'l1_cGVudGVzdC8uLi8uLi8=' to traverse directories. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (AFINE, Sectroyer).

This vulnerability allows untrusted users to write to the local file system outside of the configured document root. An attacker can exploit this to write arbitrary files to the application root folder, potentially leading to unauthorized file system access and manipulation (GitHub Advisory).

The vulnerability has been patched in elFinder version 2.1.62. Users are strongly advised to update to this version or newer. If immediate updating is not possible, it is recommended to prohibit write access for untrusted users (GitHub Advisory).

The vulnerability was discovered and reported by Michał Majchrowicz & Livio Victoriano from the AFINE Team, who received special acknowledgment from the elFinder team for their contribution to security (GitHub Commit).