CVE-2021–46398 Critical CSRF to RCE in FileBrowser
Introduction This is Febin , a security professional. I used to pick random opensource software for my research, recently I took some web-based file management software as my research targets. There I found some popular web-based file managers, one of them was a software named “FileBrowser”. While poking around I was able to find an awesome vulnerability in the application that leads to account takeover, complete access to the filesystem, and command execution. This article is going to be on that vulnerability. Disclosure Timeline: October 16, 2021 – Contacted the vendor and reported the vulnerability October 19, 2021 – Vendor replies back October 30, 2021 – Vulnerability has been patched in version v2.18.0 February 4, 2021 – CVE ID was assigned. CVE-2021-46398 Vendor/Software – Product Details Filebrowser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit your files.
