CVE-2024-38909

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-38909

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38909.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-38909

Aliases

GHSA-3h9f-mm2x-4j58

Published

2024-07-30T14:15:02.897Z

Modified

2026-03-14T12:34:39.289441Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.

References

Affected packages

Git / github.com/studio-42/elfinder

Affected ranges

Type

GIT

Repo

https://github.com/studio-42/elfinder

Events

Introduced

Last affected

deaa6797df1c6f288238b47284c9b593174bfc0f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.1.64"
        }
    ]
}

Affected versions

2.*

2.1.0

2.1.1

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.1.2

2.1.20

2.1.21

2.1.22

2.1.23

2.1.24

2.1.25

2.1.26

2.1.27

2.1.28

2.1.29

2.1.3

2.1.30

2.1.31

2.1.32

2.1.33

2.1.34

2.1.35

2.1.36

2.1.37

2.1.38

2.1.39

2.1.4

2.1.40

2.1.41

2.1.42

2.1.43

2.1.44

2.1.45

2.1.46

2.1.47

2.1.48

2.1.49

2.1.5

2.1.50

2.1.51

2.1.52

2.1.53

2.1.54

2.1.55

2.1.56

2.1.57

2.1.58

2.1.59

2.1.6

2.1.60

2.1.61

2.1.62

2.1.63

2.1.64

2.1.7

2.1.8

2.1.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38909.json"