CVE-2024-38909

CRITICAL9.8EPSS 0.26%

Studio 42 elFinder vulnerable to Incorrect Access Control

Published: 7/30/2024Modified: 10/25/2024

Description

Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.

Affected packages (1)

Packagist/studio-42/elfinderfrom 0, <= 2.1.64

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-38909
PATCHhttps://github.com/Studio-42/elFinder
WEBhttp://elfinder.com
WEBhttps://github.com/B0D0B0P0T/CVE/blob/main/CVE-2024-38909