View all articles
Posted on: 

CKFinder for ASP.NET 2.5.0.1 with a Security Patch Released

We would like to announce an immediate release of CKFinder for ASP.NET 2.5.0.1 which contains a critical security fix. An upgrade is highly recommended!

We have been contacted yesterday (June, 8th) by Tornike Gelashvili, CTO of Helix Group regarding an issue discovered during penetration tests. After confirming the issue, a security fix has been developed in order to provide the fix to the general public as soon as possible. The application was also checked to confirm that it was the only place affected.

Issue Description

Due to insufficient checks in the ASP.NET connector, an authenticated user using the built-in DownloadFile command could download any file from the server (with an extension allowed in defined resource types, as well as without any extension), when providing an absolute path to the file.

  • Severity: Critical
  • Versions affected: CKFinder for ASP.NET <= 2.5.0

We would like to thank Tornike and his team for their submission and strongly recommend everyone to upgrade.

Changelog

See the whatsnew page for a list of changes.

Download

Download CKFinder now!

Support

Visit the support page for an information about available support options.

If you have enjoyed reading this, be sure to check out our other blog posts

Subscribe to our newsletter

Keep your CKEditor fresh! Receive updates about releases, new features and security fixes.

We use cookies and other technologies to provide you with a better user experience.

Learn more

Hi there, any questions about products or pricing?

Any questions about our products or pricing?

Send us a quick message and one of our Sales Representatives will be in touch with you as soon as possible.

We are happy to
hear from you!

Thank you for reaching out to the CKEditor Sales Team. We have received your message and we will contact you shortly.