Is elFinder Media library a potential security risk?

Mautic 3.3.3 on ubuntu 20.4

I’m fooling around a bit with elFinder, the useful little media library that is, for some reason, hidden deep in the internals of email/landing page builder:

2021-08-12_18-03-24846×467 45.3 KB

(It seems a little odd that all of the system images are in there, also, but that is for another post!)

In fooling around with it, I landed on the elFinder github repo and saw this warning:

2021-08-12_18-05-06894×306 37.3 KB

I clicked on the “About elFinder” icon in the mautic version and see that we are running version 2.1.57:

2021-08-12_18-06-38846×467 70.1 KB

Is this element something that we can upgrade or swap out for the updated version?

Since elFinder is not publicly available (only available to your users) it should be fine. Unfortunately, this is only my semi-educated guess, and admittedly it worries me that your well put message with very legitimate concerns has been unanswered for 19 days…

Thanks, @sakrecoer. You are probably correct that it is fairly safe since it is not open to the world at large. And I agree - it is concerning that there are no replies. I’ve also tried to follow the documentation to understand more about elFinder, but so far I have not been able to find enough info to get started with it or really understand how it is implemented in Mautic. I’ve read through the GitHub files and their documentation (elFinder’s) but it definitely seems predicated on already knowing a good deal about the underlying technologies. I’m not quite there, yet…

Perhaps report it here instead @ericgr

fyi, it appears mautic 4.0.0 is either running a newer version or another tool