elFinder SQL Injection Vulnerability in MySQL Volume Driver

A SQL injection vulnerability has been identified in elFinder versions through 2.1.67, specifically within the MySQL volume driver (elFinderVolumeMySQL). This vulnerability allows authenticated users, including those with read-only access to the affected volume, to inject SQL by crafting specific target file hashes. Exploitation of this vulnerability could result in unauthorized data disclosure and denial-of-service conditions. The issue arises because file hashes are decoded without proper validation, allowing manipulated values to interfere with SQL query logic. As a consequence, exploited queries could disclose sensitive data accessible to the MySQL account in use or cause excessive memory consumption by generating large query results.

Impact

Exploitation allows for unauthorized data access through the MySQL account in use, including file contents and database metadata. Additionally, it can cause denial-of-service by overwhelming the server with resource-intensive query results.

Remediation

Users can upgrade to elFinder version 2.1.68 or later to address this vulnerability.