CVE-2018-9109

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-9109

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9109.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-9109

Aliases

GHSA-45x3-mw7q-wf7f

Published

2018-03-28T06:29:00Z

Modified

2025-07-01T23:43:48.427270Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process.

References

Affected packages

Git / github.com/studio-42/elfinder

Affected ranges

Type: GIT
Repo: https://github.com/studio-42/elfinder
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

157f471d7e48f190f74e66eb5bc73360b5352fd3

Fixed

4e8d36c4637ebafea5d559bae668d411ba0a1219

Affected versions

1.*

1.0.1

1.1

2.*

2.0-beta

2.0-rc1

2.1.0

2.1.1

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.1.2

2.1.20

2.1.21

2.1.22

2.1.23

2.1.24

2.1.25

2.1.26

2.1.27

2.1.28

2.1.29

2.1.3

2.1.30

2.1.31

2.1.32

2.1.33

2.1.34

2.1.35

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9