CVE-2021-46398 — Cross-site request forgery in github.com/filebrowser/filebrowser/v2

Description

A Cross-Site Request Forgery vulnerability exists in Filebrowser that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim.

How to fix CVE-2021-46398

To remediate CVE-2021-46398, upgrade the affected package to a fixed version below.

—upgrade to 2.18.0 or later
—upgrade to 2.18.0 or later

Is CVE-2021-46398 being exploited?

Moderate — EPSS is 10.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 2.18.0
from 0, < 2.18.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-46398
WEBpacketstormsecurity.com/files/165885/FileBrowser-2.17.2-Code-Execution-Cross-Site-Request-Forgery.html
WEBfebin0x4e4a.blogspot.com/2022/01/critical-csrf-in-filebrowser.html
WEBfebin0x4e4a.wordpress.com/2022/01/19/critical-csrf-in-filebrowser